If I set up and enable a policy to "allow" Internet access for three NIC cards, will that automatically block all other Internet access attempts from the general public, wireless AND wired? (i.e. block all those MACs that aren't listed on my "Allow" list?)
I am using this in conjunction with WEP, but also want a second way of blocking wireless traffic, should the password get compromised.
I also want to block wired clients from connecting without prior authorization. (Yes, I know you can spoof a MAC.)
It may be different on your router with your firmware but generally policies are evaluated from the first one until one matches with the list of PCs and the time frame. This policy is executed and processing stops. I think the default policy when no existing policy matches it to allow traffic. But you should test that. It may well be the opposite. If you want to be on the save side you should add a second policy after the first which denies all traffic.
The access restrictions only filter traffic from the LAN into the internet. They do not filter traffic into the LAN. Anyone connected can still access all other computers and the router inside the LAN.
For the wireless there is also a wireless MAC address filter.
However, be aware that all MAC addresses are always transmitted unencrypted. This means it is very easy to pick a unfiltered MAC address up wireless and due to the amount of normal windows broadcast traffic it is also very easy to pick up the MAC addresses in the wired LAN.
You cannot prevent wired clients from connecting. You can only prevent them from accessing the internet.
With this router firmware, I didn't see a way to "deny all". You enable or disable a policy and set it to deny or allow. In the policy properties (edit) page , there are IP ranges and MAC entry fields, but no global selection to block all or allow all. (FYI: On the Linksys BEFSX41 VPN router, there is a "deny all" check box, but that selection unfortunately overrides any "allow" entries that you specify, regardless of which order the policies are entered. I gave up on that unit after three low-yield hours online with Linksys chat support.)
So you get a clear pic of what I'm trying to do: I have two encrypted 802.11G access points with about 10 authorized wireless users. I'm trying to allow everyone who provided their MAC address onto the Internet, and prevent other casual users in the neighborhood from getting Internet access. There is no network to hack; this is just for Internet access, so I'm accepting the fact that someone may sniff and spoof a MAC to get online (but they'd need the WEP key also).
I need to MAC filter the wired end as all the remote access point traffic enters my router through two of the switched RJ-45 ports. Right now, anyone with the password gets access.
If you can suggest a fix or a differnt piece of hardware for this, I'm all ears.
A deny all would be a policy which includes the whole LAN subnet (e.g. 192.168.1.2-255) and is active anytime.
I would just test it. Set up the policies and verify which MAC addresses get internet and which not. You can always quickly change the MAC address in the driver if you only have a single computer.
If you want to do it "properly" you could setup a radius server on a computer in your LAN to do wireless authentication (maybe even 802.1x). That way you can authenticate individual users and check the mac address at the same time. But setting up a radius server like freeradius is not easy.
I tried blocking the whole IP range available from DHCP. That does work, i.e. shuts everything off from the Internet. I then tried adding an "Allow" policy to try to override that block for a few selected MAC IDs. That did not work; the full block took precedence and no one got Internet access.
I then deleted the full block and left a small "Allow" list in place. This seems to be working - other PCs not in the Allow list are blocked, while my Allow list correctly has Internet access. A second laptop and another PCMCIA 10/100 card helped verify the results.
If a single policy alone does work it means that the router has a deny-all default policy. If you configure access restrictions everything not allowed is blocked.
I am not sure whether you did the configuration with the explicit deny-all policy correctly. The order of the policies is important. If you define a deny-all as 1st policy then everything will be shut off as you have seen it. You can add any policy you want after this. It does not make a difference as the other policies will never be evaluated.
The first matching policy in the order of policies which matches will be executed. No other policies will be executed after the first match has been found.
I tried reversing the order of the policies last night. First policy was the "Allow" list and second was a blanket "Deny" list for the full DHCP IP range.
That seemed to work (all "non-listed" traffic was blocked - all listed MACs got access).
My next step is to try some similar MAC tests on a Linksys model BEFSX41 VPN router, if those fail, i.e. the non-listed public gets full access, at least I know now I can buy a WRT54GSV4 and get the job done.