Community discussions

MikroTik App
 
WeWiNet
Long time Member
Long time Member
Topic Author
Posts: 591
Joined: Thu Sep 27, 2018 4:11 pm

7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Tue Mar 08, 2022 9:57 am

Not sure this is right place to put this, but there is no Wifiwave2 dedicated section in the forum (which I don't understand)

In ROS6 this is working. In ROS 7 its even more important as default autheticate is the normal mode of operation and can not be disabled!

So I want one rule to reject all MAC addresses (make sure only devices with dedicated entry can access),
then one rule to allow individual devices.
Below example has the other benefit to force 5G capable clients to use the 5G Wifi interface.
/interface wifiwave2 access-list
add action=reject comment="Force devices to use 5G" disabled=no interface=Wifi_phone_if_2G
add action=accept comment="Allow old chromecast to use 2G" disabled=no interface=Wifi_phone_if_2G mac-address=12:34:56:78:9A:BC 

The log shows this is not working and keeps rejecting the client:
12:34:56:78:9A:BC@Wifi_phone_if_2G authentication rejected, forbidden by access-list


Is this expected or a bug?
How to make a wifiwave2 interface to "not authenticate by default"?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Tue Mar 08, 2022 10:58 am

Try swapping the order of entries in access list, in ROS order of rules usually matters as they are evaluated from top to bottom.
 
WeWiNet
Long time Member
Long time Member
Topic Author
Posts: 591
Joined: Thu Sep 27, 2018 4:11 pm

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Tue Mar 08, 2022 12:02 pm

Try swapping the order of entries in access list, in ROS order of rules usually matters as they are evaluated from top to bottom.
Thanks for the hints.
- Winbox Wifiwav2 tab has no "numbers", so you can not move rules up or down for now, nor can you see the order :-(
- In classic wifi package, there is no reject, each rule is considered to allow either "access" or not (but not reject).
you can put any rule in any order and all will be worked down... and eventually one rule allows access...
- As there is no "default NOT authenticate" wifi interface setting anymore you need to have a "reject all" rule...

It seems now access rules do work like "firewall", working down from first to last, and need to consider order.

Finally, as you always have good advice, I checked in terminal -> print the order.
Indeed the reject rule was before the accept (again, you do not see this in winbox).
I deleted the reject rule and re-created it, which adds it at the end, and it works now.

Basically the bug is: missing access-rule numbers in winbox need to be added in Winbox for wifiwave2,
else each time you add a rule, you will need to delete and recreate the reject rule to make sure they are at the end...
Also with 20+ rules its get hard to review them via CLI, using print each time...
 
lelmus
newbie
Posts: 28
Joined: Wed Oct 17, 2012 5:50 am

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Tue Mar 08, 2022 6:57 pm

Yeah, wifiwave2 is very different and needs a different approach. I too thought it was broken because there is no order any more, but its not broken and there is an explanation in the help docs, but its still just confusing. I will give you an example here of it working on my RB4011. I'm not sure if this will do what you want with 2.4GHz and 5GHz, but you can play with it and try. I think its best to give devices that you want to force onto 2.4GHz or 5GHz its own SSID.

Here is the help doc if you have more questions. https://help.mikrotik.com/docs/display/ROS/WifiWave2

Before we start I need to make sure you understand the Whitelist vs Blacklist terminology. Blacklist = block each mac and allow the rest, Whitelist = allow each mac and block the rest.

We will look at the Whitelist example:

/interface wifiwave2 access-list

add action=accept allow-signal-out-of-range=5m comment="MY IPAD 1" \
disabled=no mac-address=94:E4:54:11:22:33 mac-address-mask=\
FF:FF:FF:FF:FF:FF signal-range=-120..120 ssid-regexp="MYSSID"

add action=accept allow-signal-out-of-range=5m comment="MY IPAD 2" \
disabled=no mac-address=94:E4:54:11:22:44 mac-address-mask=\
FF:FF:FF:FF:FF:FF signal-range=-120..120 ssid-regexp="MYSSID"

add action=reject comment="REJECT" disabled=no ssid-regexp="MYSSID"
 
iriseth
just joined
Posts: 10
Joined: Sat Feb 18, 2023 5:21 am

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Sat Feb 18, 2023 5:48 am

actually its not working for me at all. trying to add an individual passphrase for each device based on mac address, but authentication fails with any other passphrase than the default (configured in vireless security)
 
iriseth
just joined
Posts: 10
Joined: Sat Feb 18, 2023 5:21 am

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Sat Feb 18, 2023 5:55 am

my config is here:

[iriseth@Bray] /interface/wifiwave2/actual-configuration> print
0 name="wifi1" mac-address=XX:XX:XX:XX:XX:XX arp-timeout=auto radio-mac=XX:XX:XX:XX:XX
configuration.mode=ap .ssid="NASSAU" .country=Ireland
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .passphrase="*******" .wps=disable
channel.frequency=5180,5260,5500 .width=20/40/80mhz

1 name="wifi2" mac-address=48:A9:8A:0B:08:28 arp-timeout=auto radio-mac=48:A9:8A:0B:08:28
configuration.mode=ap .ssid="MALDIVES" .country=Ireland
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .passphrase="*********" .wps=disable
channel.frequency=2412,2432,2472 .width=20mhz

[iriseth@Bray] /interface/wifiwave2/actual-configuration> /interface/wifiwave2/security/print
Flags: X - disabled
0 name="auth-24GHz" authentication-types=wpa2-psk,wpa3-psk encryption=ccmp,gcmp,ccmp-256,gcmp-256 passphrase="*********" wps=disable

1 name="auth-5GHz" authentication-types=wpa2-psk,wpa3-psk encryption=ccmp,gcmp,ccmp-256,gcmp-256 passphrase="*********" wps=disable
[iriseth@Bray] /interface/wifiwave2/actual-configuration> /interface/wifiwave2/channel/print
Flags: X - disabled
0 name="ch-5ghz" frequency=2412,2432,2472 width=20mhz

1 name="ch-2ghz" frequency=5180,5260,5500 width=20/40/80mhz

[iriseth@Bray] /interface/wifiwave2> access-list/print
Columns: INTERFACE, MAC-ADDRESS, MAC-ADDRESS-MASK, ACTION
# INTERFACE MAC-ADDRESS MAC-ADDRESS-MASK ACTION
;;; reject all on wifi1
0 wifi1 reject
;;; MACBOOK-NASSAU
1 wifi1 XX:XX:XX:XX:XX:XX FF:FF:FF:FF:FF:FF accept
[iriseth@Bray] /interface/wifiwave2>

not sure what i'm missing but seems the access list is not processed at all.
any help appreciated.
 
tinodj
just joined
Posts: 22
Joined: Fri Oct 05, 2018 4:04 pm

Re: 7.2rc4 Wifiwave2 Access List multiple rules on interface not working

Thu Oct 05, 2023 8:46 pm

Make sure to give:

access-list/print detail

We need details. If you are using GUI (Winbox, WebFig) they might be adding time parameter (in my case) and that makes it not working. You need to delete time parameter in the rule, after each edit (and on create)

Who is online

Users browsing this forum: No registered users and 20 guests