Missing ACL enable/disable in QuickSet

ustas · Wed Mar 22, 2023 11:44 pm

Owner of hAP ac lite for a long time. OS 6.49.x. Used ACL to filter clients by MAC address.
Recently purchased hAP ax3, OS 7.8. I do not see the check box 'User Access List (ACL)' on the 'Quick Set' page on hAP ax3.
How can I enable/disable ACL on my new hAP ax3?
Any command for terminal.

The access-list of MAC addresses itself was copied from old router /interface/wireless/access-list to new router /interface/wifiwave2/access-list

Thu Mar 23, 2023 9:48 am

Forget QuickSet if you set anything without it. Go WinBox.

anav · Thu Mar 23, 2023 12:48 pm

The value in quickset is to be able to select the generic mode of wifi the router applies, after that, dont visit quick set again.

ustas · Thu Mar 23, 2023 1:49 pm

Forget QuickSet if you set anything without it. Go WinBox.

How can I enable/disable ACL on my new hAP ax3?

Thu Mar 23, 2023 2:33 pm

Go to Wireless menu, then click Access List tab

ustas · Thu Mar 23, 2023 6:58 pm

Go to Wireless menu, then click Access List tab

Sure I was there and as mentioned before added all MACs to white list, dozens of MAC addresses.

The access-list of MAC addresses itself was copied from old router /interface/wireless/access-list to new router /interface/wifiwave2/access-list

My question was: how enable/disable ACL?
In v6.x I could: enable ACL - and from that moment only devices with MAC/accept from while list had access. I could disable ACL - and anyone could connect to the router, so the access list was ignored.

Now in 7.8, with checkbox missing on Quick Set page, I cannot enable and disable ACL.
Current state of ACL list equals to 'disabled' of v6.x. Anyone can connect unless I manually add MAC to access list and set action to 'reject' - but this is BLACK list, not what I want.

I want current state of ACL be equal to 'enabled' of v6.x - So, only devices with MAC address in access-list with action set to 'accept' could connect.

pe1chl · Thu Mar 23, 2023 7:11 pm

My question was: how enable/disable ACL?
In v6.x I could: enable ACL - and from that moment only devices with MAC/accept from while list had access. I could disable ACL - and anyone could connect to the router, so the access list was ignored.

Now in 7.8, with checkbox missing on Quick Set page, I cannot enable and disable ACL.
Current state of ACL list equals to 'disabled' of v6.x. Anyone can connect unless I manually add MAC to access list and set action to 'reject' - but this is BLACK list, not what I want.

This is managed by the setting "Default authenticate" in your wireless interface settings. When there is no checkmark there, the user is only allowed depending on the accesslist or the setup of the security profile.
When you have multiple access points and are copying the access list between them, have a look at the possibility of user manager combined with mac authentication.
You can set your security profile to use mac authentication via RADIUS, then have user manager on one of your devices and add a user named as the MAC address, and you need to manage it only in one place.

ustas · Thu Mar 23, 2023 8:01 pm

... "Default authenticate" in your wireless interface settings. ...

Unfortunately I do not see it neither in web interface nor in winbox.
Looks like it belongs to Interface/Wireless (https://wiki.mikrotik.com/wiki/Manual:I ... e/Wireless), but in routeros 7.8 I have wifiwave2 package instead.

If I'm wrong can you please provide exact path in menu to it. Or may be it is accessible in command line?

anav · Thu Mar 23, 2023 8:27 pm

The OP has a point.
There is an ACCESS LIST Tab on wifi wave 2 and that seems to be to enter in each item individually with some ability to assign radius and other things............
HOWEVER, there is no single TAB or entry that would allow DISABLE all access list or ENABLE all access list.
Further, I dont see the access list as an option or pull-down in any of the other WIFIWAVE2 menu selections.

Perhaps I am also blind but certainly looks like some missing items here? Also using 7.8rc3 vice stable version so maybe why?

pe1chl · Thu Mar 23, 2023 8:55 pm

wifiwave2 is new and is not complete yet... maybe that is the reason?
maybe you should use the "mac authentication" in "security profile" method... (combined with user manager)

anav · Thu Mar 23, 2023 9:09 pm

Maybe they should assign more resources at MT to finish products instead of releasing them as beta software or at least produce a transparent road map for completion of feature sets.

anav · Thu Mar 23, 2023 9:36 pm

Priceless quote1: "Go to Wireless menu, then click Access List tab"
Priceless quote2: "mkx which threads are you referring to? AFAIK hAP ax2 works like a charm. I use it personally too. If you have no specific report made, don't spread such false info then."

Yup everything is 'EASY' and works like a "CHARM" in wifiwave2 lala land.

Don't get me wrong, I would love to eat crow or humble pie and be made to look the fool, if the AXseries and wifiwave2 hummed along like a well oiled machine and a config path process was promulgated that was usable and documentation explained the large number of variables and parameters presented. I would even drink Latvian beer..........

ustas · Thu Mar 23, 2023 10:06 pm

As a possible solution I'd accept this: add new access list item that had MAC mask that match all MAC addresses - and set action to 'reject'.
And I'd moved it to the bottom of the list.

I tried 'FF:FF....FF' both in MAC and MAC address mask fields of access list. But did not work for me.
Also tried '00:00....00' - but this value was either rejected or ignored by different GUIs.

Did anyone use masks in access list?
Any hint ?

Amm0 · Thu Mar 23, 2023 10:10 pm

I didn't think this work myself. But the docs, sorta, give some clues.
https://help.mikrotik.com/docs/display/ ... entication

Apparently you have just ignore the reference to "query-radius" under the "MAC Authentication" when reading the docs. And apparently reject just needs to match something, but the defaults don't match anything, so a "reject" alone doesn't just work. So if you extrapolate from the "print" (not "export") in the "examples", they use a "signal-range" which gives the reject something match on.

So adding this add the end will cause it to use the whitelisted MAC's above it in the access-list (and presumable added via QuickSet "Copy to ACL" PREVIOUSLY* to add this rule).

/interface/wifiwave2/access-list/add action=reject disabled=no signal-range=0..-120 time=0s-0s

*You can't go back to QuickSet and use "Copy to ACL" after adding that "reject". The "Copy to ACL" stuff becomes grey'ed out, so you can't use QuickSet to add new items to the whitelist, if the rules flagged them as rejected.

But I'm pretty sure in V6, there was an Use ACL and the "Copy to ACL" stuff worked fine – this was one area of QuickSet that was SAFE to use multiple times since the ACL buttons just modifed the Wi-Fi access-list, but the rest of config is unaffected by doing ACL stuff.

ustas · Thu Mar 23, 2023 10:33 pm

Tried this

add action=reject disabled=no signal-range=0..-120 time=0s-0s

Does not work for me

I mean - the rule was added successfully but any device with any MAC still can connect

Amm0 · Thu Mar 23, 2023 10:49 pm

Did you remove any existing ones from the "Registered" section. Once it was connected, it's remember.

Perhaps mess with the time? Maybe try 0s-1d as the time.

Or reverse the range, -120..0?

Note: I set these using winbox, then did an export. Perhaps something isn't translated right in export....

ustas · Fri Mar 24, 2023 12:36 am

... remove any existing ones from the "Registered" ... ?

There was no need in it. Once I switched Wifi OFF on the device, its MAC disappeared from Registration table.
Switched wifi ON - immediately connected.
Changing 'time' did not help.

but changing the range to -120..00 worked !!!

So, the final solution is

/interface/wifiwave2/access-list/add action=reject disabled=no signal-range=-120..0

Thank you a lot!!

Amm0 · Fri Mar 24, 2023 1:14 am

Tired it again, from another device and it did get in. I changed the time 0s-1d (no signal) and it that worked. Rebooted that was still blocked. Maybe it doesn't have any signal during the match, I have no idea...

But this seems buggy, beyond just QuickSet part, you should file it as a bug at help.mikrotik.com. You were told

Go to Wireless menu, then click Access List tab

and you did

.

Even that the docs sucks on this topic is worthy bug IMO.

Amm0 · Fri Mar 24, 2023 1:15 am

but changing the range to -120..00 worked !!!

yeah I think the key is something has the match for the reject to work. And I did have those backwards in my first example...

chaugi · Mon May 15, 2023 11:10 pm

Also the problem looks like you are not able to sort rules in Access List. Therefore if you have multiple rules for different interfaces you cannot rearrange Deny rule as you can do in Firewall. As a result you have to recreate it each time you do modifications to your list

gchasapis · Fri Aug 04, 2023 7:40 pm

How is it possible that something so basic has not been implemented for so long? wifiwave2 is out for so long now. Are we sure we are not missing something?

pe1chl · Sat Aug 05, 2023 1:39 pm

wifiwave2 has different functionality from the original MikroTik wireless drivers!
it has more support for modern WiFi protocols and chipsets, but (far) less support for the more advanced usage of WiFi.

kravemir · Sun Aug 13, 2023 11:01 am

So, the final solution is
Code: Select all
/interface/wifiwave2/access-list/add action=reject disabled=no signal-range=-120..0

This blocks any wireless access. If Guest Wireless Network functionality is desired, then this needs to be extended to only block on private interfaces:

/interface wifiwave2 access-list
add action=reject disabled=no interface=wifi1 signal-range=-120..0
add action=reject disabled=no interface=wifi2 signal-range=-120..0

Though, it's a bit of shame, that this is not supported by Quick Set. Also, rules added by "Copy To ACL" don't contain comments about device names, so hard time figuring out what should be what.

adammrt · Sun Sep 03, 2023 8:33 pm

Please tell me how to easy way enable restrict access to the device using the ACL? I have a defined list of ACL devices.
( hAP ax^3, 7.11.2 (stable)).

slastnikov · Mon Nov 13, 2023 12:12 am

To enable Acess List you need.
1. Add a rule which rejects everything.
2. Below that rule add rule which allows certain mac.
Pictures Attached

https://ibb.co/XWSkzSY
https://ibb.co/SfNnKzm
https://ibb.co/xzbY18g

Missing ACL enable/disable in QuickSet [SOLVED]

Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet [SOLVED]

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Re: Missing ACL enable/disable in QuickSet

Who is online