Owner of hAP ac lite for a long time. OS 6.49.x. Used ACL to filter clients by MAC address.
Recently purchased hAP ax3, OS 7.8. I do not see the check box ‘User Access List (ACL)’ on the ‘Quick Set’ page on hAP ax3.
How can I enable/disable ACL on my new hAP ax3?
Any command for terminal.
The access-list of MAC addresses itself was copied from old router /interface/wireless/access-list to new router /interface/wifiwave2/access-list
Forget QuickSet if you set anything without it. Go WinBox.
The value in quickset is to be able to select the generic mode of wifi the router applies, after that, dont visit quick set again.
How can I enable/disable ACL on my new hAP ax3?
Go to Wireless menu, then click Access List tab
Sure I was there and as mentioned before added all MACs to white list, dozens of MAC addresses.
The access-list of MAC addresses itself was copied from old router /interface/wireless/access-list to new router /interface/wifiwave2/access-list
My question was: how enable/disable ACL?
In v6.x I could: enable ACL - and from that moment only devices with MAC/accept from while list had access. I could disable ACL - and anyone could connect to the router, so the access list was ignored.
Now in 7.8, with checkbox missing on Quick Set page, I cannot enable and disable ACL.
Current state of ACL list equals to ‘disabled’ of v6.x. Anyone can connect unless I manually add MAC to access list and set action to ‘reject’ - but this is BLACK list, not what I want.
I want current state of ACL be equal to ‘enabled’ of v6.x - So, only devices with MAC address in access-list with action set to ‘accept’ could connect.
This is managed by the setting “Default authenticate” in your wireless interface settings. When there is no checkmark there, the user is only allowed depending on the accesslist or the setup of the security profile.
When you have multiple access points and are copying the access list between them, have a look at the possibility of user manager combined with mac authentication.
You can set your security profile to use mac authentication via RADIUS, then have user manager on one of your devices and add a user named as the MAC address, and you need to manage it only in one place.
Unfortunately I do not see it neither in web interface nor in winbox.
Looks like it belongs to Interface/Wireless (https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless), but in routeros 7.8 I have wifiwave2 package instead.
If I’m wrong can you please provide exact path in menu to it. Or may be it is accessible in command line?
The OP has a point.
There is an ACCESS LIST Tab on wifi wave 2 and that seems to be to enter in each item individually with some ability to assign radius and other things…
HOWEVER, there is no single TAB or entry that would allow DISABLE all access list or ENABLE all access list.
Further, I dont see the access list as an option or pull-down in any of the other WIFIWAVE2 menu selections.
Perhaps I am also blind but certainly looks like some missing items here? Also using 7.8rc3 vice stable version so maybe why?
wifiwave2 is new and is not complete yet… maybe that is the reason?
maybe you should use the “mac authentication” in “security profile” method… (combined with user manager)
Maybe they should assign more resources at MT to finish products instead of releasing them as beta software or at least produce a transparent road map for completion of feature sets.
It’s beyond a QuickSet bug. I tested this with an ax3, with v7.8 stable, and yeah I have no idea how to make this work. I’m not sure how you define a “deny rest” or some “use MAC auth” someplace. Certainly running user-manager may avoid but that not exactly trivial. And nothing is documented here.
I don’t use MAC auth, but it’s a thing, and functionality been lost by “upgrading” is annoying.
Maybe it’s possible, but ain’t just:
Yup everything is ‘EASY’ and works like a “CHARM” in wifiwave2 lala land.
Don’t get me wrong, I would love to eat crow or humble pie and be made to look the fool, if the AXseries and wifiwave2 hummed along like a well oiled machine and a config path process was promulgated that was usable and documentation explained the large number of variables and parameters presented. I would even drink Latvian beer…
As a possible solution I’d accept this: add new access list item that had MAC mask that match all MAC addresses - and set action to ‘reject’.
And I’d moved it to the bottom of the list.
I tried ‘FF:FF…FF’ both in MAC and MAC address mask fields of access list. But did not work for me.
Also tried ‘00:00…00’ - but this value was either rejected or ignored by different GUIs.
Did anyone use masks in access list?
Any hint ?
I didn’t think this work myself. But the docs, sorta, give some clues.
https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-MACaddressauthentication
Apparently you have just ignore the reference to “query-radius” under the “MAC Authentication” when reading the docs. And apparently reject just needs to match something, but the defaults don’t match anything, so a “reject” alone doesn’t just work. So if you extrapolate from the “print” (not “export”) in the “examples”, they use a “signal-range” which gives the reject something match on.
So adding this add the end will cause it to use the whitelisted MAC’s above it in the access-list (and presumable added via QuickSet “Copy to ACL” PREVIOUSLY* to add this rule).
/interface/wifiwave2/access-list/add action=reject disabled=no signal-range=0..-120 time=0s-0s
*You can’t go back to QuickSet and use “Copy to ACL” after adding that “reject”. The “Copy to ACL” stuff becomes grey’ed out, so you can’t use QuickSet to add new items to the whitelist, if the rules flagged them as rejected.
But I’m pretty sure in V6, there was an Use ACL and the “Copy to ACL” stuff worked fine – this was one area of QuickSet that was SAFE to use multiple times since the ACL buttons just modifed the Wi-Fi access-list, but the rest of config is unaffected by doing ACL stuff.
Tried this
Does not work for me 
I mean - the rule was added successfully but any device with any MAC still can connect
Did you remove any existing ones from the “Registered” section. Once it was connected, it’s remember.
Perhaps mess with the time? Maybe try 0s-1d as the time.
Or reverse the range, -120..0?
Note: I set these using winbox, then did an export. Perhaps something isn’t translated right in export…
There was no need in it. Once I switched Wifi OFF on the device, its MAC disappeared from Registration table.
Switched wifi ON - immediately connected.
Changing ‘time’ did not help.
but changing the range to -120..00 worked !!!
So, the final solution is
/interface/wifiwave2/access-list/add action=reject disabled=no signal-range=-120..0
Thank you a lot!!
Tired it again, from another device and it did get in. I changed the time 0s-1d (no signal) and it that worked. Rebooted that was still blocked. Maybe it doesn’t have any signal during the match, I have no idea…
But this seems buggy, beyond just QuickSet part, you should file it as a bug at help.mikrotik.com. You were told
and you did 
.
Even that the docs sucks on this topic is worthy bug IMO.
yeah I think the key is something has the match for the reject to work. And I did have those backwards in my first example…