I did write "good enough against beginners".
Yes, and I quoted it, so I got that point in your answer. What I wanted to get across here is that your threshold for "beginner" probably stops at about seven years old for some attackers. If I had a WAP in the OP's situation, I wouldn't consider MAC address checking any solution at all.
I don't think we should even talk about MAC address matching any more, except to deprecate it. I think we've got too many old hands here who remember the days when changing a MAC address required blowing a new EPROM and soldering it in place on the NIC in place of the old one. That stopped being the major impediment to changing a host's MAC address decades ago. Today, the MAC address setting's right there in the OS's network configuration GUI!
Mind, I'm not saying remembering how it used to be is the problem. It's designing our security as if those obsolete facts still obtained.
You don't even have to sniff the port to break MAC address matching as a security method. You look at the label on the WAP, find it's a MikroTik device, go to an Ethernet OUI tool, faff about for a bit to work out that Mikrotik registers their MAC perfixes under "Routerboard.com", find the 14 MAC prefixes registered to Routerboard.com, and write a loop to try all 235 million possible MAC addresses. At a million packets per second (easy for a computer) you'll find the right MAC in under 5 minutes.
If you're really clever, you try them in reverse order, gambling that recent hardware will have one of the later MAC address prefixes, likely breaking it in under a minute.