Community discussions

MikroTik App
 
iriseth
just joined
Topic Author
Posts: 9
Joined: Sat Feb 18, 2023 5:21 am

access list issue in wifiwave2

Sat Feb 18, 2023 8:03 pm

hi mikrotik friends,
Hope my post will be approved here as it didn't in the last 24 hours in another topic.
I have an issue with the way wifiwave 2 handles (or not handles) the `access list` feature. I'd like to replicate what I've done on my crs109 and add individual passphrases per MAC address for devices to authenticate.

Seems this function is not working in ros 7.7 as the MAC / passphrase is not working for authentication. Since "default authenticate" checkbox is removed from the interface properties, not sure if this function will ever work the way it worked on older routerboard models.

thanks
 
iriseth
just joined
Topic Author
Posts: 9
Joined: Sat Feb 18, 2023 5:21 am

Re: access list issue in wifiwave2

Mon Feb 27, 2023 3:05 pm

up! anyone any ideas?
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: access list issue in wifiwave2

Sat Mar 04, 2023 10:21 pm

Same problem here. Can't get it to reasonably reject everything by default. Here are my rules, forming a whitelist:

admin@MikroTik] /interface/wifiwave2/access-list> p d
Flags: X - disabled
0 mac-address=58:3F:33:9E:02:18 mac-address-mask=FF:FF:FF:FF:FF:FF interface=xx-iot-2 action=accept
1 mac-address=58:37:1D:D1:5C:39 mac-address-mask=FF:FF:FF:FF:FF:FF interface=xx-iot-2 action=accept
2 interface=xx-iot-2 action=reject

...and the reject has absolutely no effect. I've tried every combination of 00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF for mac-address and mac-address-mask. The xx-iot-2 network is a slave of one of the main wifi interfaces, but I've tried putting these rules on the main wifi interface, as well.

Additionally, I found WebFig adds this to every record, which I've both tried leaving alone and deleting via the CLI:

signal-range=0 time=0s-0s

WebFig inconsistently displays things in numerical order (you randomly see multiple rules that are at #0 unless you refresh the page).

I'm on a new AX2 and the latest 7.8 for both packages and the RouterBoard firmware.

I went down this path because a few (not all) of my Geeni Smart Light Bulbs refuse to authenticate to the AX2 (they did with the AC2) and I had to put them on their own isolated wifi network with authentication removed. (UPDATE) I was able to fix the issue with the bulbs (and a Roomba) by unchecking the "CCMP 256" WPA security option, so I've since removed the open network. That said, I'd still like to block IoT devices based on MAC addresses, so I'm happy to help try any solutions.
Last edited by justinmik on Sun Mar 05, 2023 10:17 pm, edited 1 time in total.
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: access list issue in wifiwave2

Sun Mar 05, 2023 6:46 am

FYI - I have submitted support cases SUP-109704 and SUP-109706 (sorry, Mikrotik engineers, for the duplicate!).
 
iriseth
just joined
Topic Author
Posts: 9
Joined: Sat Feb 18, 2023 5:21 am

Re: access list issue in wifiwave2

Tue May 23, 2023 12:57 pm

FYI - I have submitted support cases SUP-109704 and SUP-109706 (sorry, Mikrotik engineers, for the duplicate!).
hi there, did you receive any answers on this ? I'm really missing this function to be able to grant individual passwords based on mac. - I don't really want to install a radius server for this as it was working on ros 6.x
 
holvoetn
Forum Guru
Forum Guru
Posts: 3728
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: access list issue in wifiwave2

Tue May 23, 2023 1:17 pm

I only use access list for kicking out devices with a too low signal.
But is it possible a signal range has to be included all the time ?
Use -120 to 120, always valid :lol:
 
iriseth
just joined
Topic Author
Posts: 9
Joined: Sat Feb 18, 2023 5:21 am

Re: access list issue in wifiwave2

Tue May 23, 2023 1:21 pm

tried everything trust me :(
Screenshot 2023-05-23 at 11.20.02.png
and it still allows everything.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10246
Joined: Thu Mar 03, 2016 10:23 pm

Re: access list issue in wifiwave2

Tue May 23, 2023 4:15 pm

Remove the time= setting ... as far as I understand the logic, the rules will only be matched for a fraction of second at midnight (0:00:00). If you would like to add check for time of day (and have rule matched at all times), then you'd have to write something like "time=0s-1d", but why bother with this property if the rule should be time-independent?

If webfig doesn't allow removing it, then do it via CLI. However ... my WebFig did include the Time line (with all zeroes), but if I removed the setting (pressing the upwards pointing triangle and then save the ACL rule, the time property was not seen as set in CLI.
 
iriseth
just joined
Topic Author
Posts: 9
Joined: Sat Feb 18, 2023 5:21 am

Re: access list issue in wifiwave2

Sat May 27, 2023 9:31 am

Remove the time= setting ... as far as I understand the logic, the rules will only be matched for a fraction of second at midnight (0:00:00). If you would like to add check for time of day (and have rule matched at all times), then you'd have to write something like "time=0s-1d", but why bother with this property if the rule should be time-independent?

If webfig doesn't allow removing it, then do it via CLI. However ... my WebFig did include the Time line (with all zeroes), but if I removed the setting (pressing the upwards pointing triangle and then save the ACL rule, the time property was not seen as set in CLI.
thanks, not working. Even if I remove it, it puts back when clicking APPLY on the rule. I'm trying this from the webfig. I was also trying with 00:00:02 00:00:01 that's 24 hour -1 second but didn't allow either. no effect...

UPDATE: Something is definitely with the time.... I'm messing around and it started working. let me do some thorough testing.... THANK YOU! for the hint
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 10246
Joined: Thu Mar 03, 2016 10:23 pm

Re: access list issue in wifiwave2

Sun May 28, 2023 10:32 am

Even if I remove it, it puts back when clicking APPLY on the rule.

I actually went forward to test my suggestion before posting it. And my suggestion worked.

It seems to me that WebFig has a bug which causes it to add the time properry if it didn't exist before opening the particular rule. But if you remove it and hit "save", it's not added to actual router config. Just verify it while using another UI (I used CLI, winbox might be a good example to get "second opinion" if you fancy GUI).

And you're not right about 00:00:02-00:00:01 ... the end time has to be larger than start time ... and 00:00:01 is one second past midnight which is already past when interval starts (at two seconds past midnight). However 00:00:00-1d should be fine as "one day past midnight" did not happen yet when interval started at "today midnight".
 
gigihr
just joined
Posts: 2
Joined: Thu Aug 29, 2019 9:21 pm

Re: access list issue in wifiwave2

Fri Jun 02, 2023 1:15 am

this new logic is much more clear and more logical, it acts like firewall
first accept rules with all options you want and how many you need them
and last one rule is reject everything

my home setup for controling if kids can be on internet from everywhere:

I've defined main WiFi for me and wife, tv and kid's
SSID's: MAIN, TV, KID1MOB, KID2MOB, KID1LAP, KID2LAP
MAIN has strong pass, others simple 12345678

added filters in wireless / access-list
accept: mac:from_tv interface:TV
reject: interface:TV
accept: mac:kids_mobile interface:KID1MOB time:08-21
reject: interface:KID1MOB
and so on...
so every device is locked to propper wifi-ssid and rest is rejected

added scheduler every 5 min:
/tool fetch url="https://user:pass@mywebpage.com/net/io.json"
/system script run dev
io.json looks like this:
{"kid1mob":false,"kid1lap":false,"kid2mob":false,"kid2lap":false,"tv":true}


and made a script: named dev
{
    :local check [/file get io.json contents]; # in variable quotes are removed from json so it's like kid1mob:false
    :local kid1mob_j [:pick $check ([:find $check "kid1mob" -1]+9)]; #searching for start pos in io.json of string "kid1mob" and get char from pos +9 (t or f)
    :local kid2mob_j [:pick $check ([:find $check "kid2mob" -1]+9)];
    :local kid1lap_j [:pick $check ([:find $check "kid1lap" -1]+9)];
    :local kid2lap_j [:pick $check ([:find $check "kid2lap" -1]+9)];
    :local tv_j [:pick $check ([:find $check "tv" -1]+4)];
    :local kid1mob_i [/interface get kid1mob disabled]; #var will be true if interface is disabled
    :local kid2mob_i [/interface get kid2mob disabled];
    :local kid1lap_i [/interface get kid1lap disabled];
    :local kid2lap_i [/interface get kid2lap disabled];
    :local tv_i [/interface get TV disabled];

    :if ( $kid1mob_j="t" && $kid1mob_i=true) do={/interface/wifiwave2/enable kid1mob}
    :if ( $kid1mob_j="f" && $kid1mob_i=false) do={/interface/wifiwave2/disable kid1mob}
    :if ( $kid1lap_j="t" && $kid1lap_i=true) do={/interface/wifiwave2/enable kid1lap}
    :if ( $kid1lap_j="f" && $kid1lap_i=false) do={/interface/wifiwave2/disable kid1lap}
    :if ( $kid2mob_j="t" && $kid2mob_i=true) do={/interface/wifiwave2/enable kid2mob}
    :if ( $kid2mob_j="f" && $kid2mob_i=false) do={/interface/wifiwave2/disable kid2mob}
    :if ( $kid2lap_j="t" && $kid2lap_i=true) do={/interface/wifiwave2/enable kid2lap}
    :if ( $kid2lap_j="f" && $kid2lap_i=false) do={/interface/wifiwave2/disable kid2lap}
    :if ( $tv_j="t" && $tv_i=true) do={/interface/wifiwave2/enable TV}
    :if ( $tv_j="f" && $tv_i=false) do={/interface/wifiwave2/disable TV}
};
and why so many checks... because when you enable allready enabled WiFi it still do off/on on interface so it's not good




and simple php web page on my my hosting that generate io.json file: index.php
<!DOCTYPE html>
<html lang="en">
<head>
<title>Internet access</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>
<body class="d-flex flex-column ng-cloak">
<div class="container py-2"><div class="row"><div class="col"><h2 class="font-weight-light">Internet</h2>
<p>Configure internet access</p>
<?php
$json_file="io.json";
$kid1mob=$kid1lap=$kid2mob=$kid2lap=$tv=0;
$file = file_get_contents($json_file);
$json = json_decode($file, true);
$kid1mob=$json['kid1mob']!="";
$kid1lap=$json['kid1lap']!="";
$kid2mob=$json['kid2mob']!="";
$kid2lap=$json['kid2lap']!="";
$tv=$json['tv']!="";
?>
<form method="post" action="submit.php">  
<div class="form-check form-switch"><input class="form-check-input" type="checkbox" role="switch" id="kid1mob" name="kid1mob" <?php if($kid1mob)echo "checked"; ?> /><label class="form-check-label" for="kid1mob">Kid 1 mobile can access internet</label></div>
<div class="form-check form-switch"><input class="form-check-input" type="checkbox" role="switch" id="kid1lap" name="kid1lap" <?php if($kid1lap)echo "checked"; ?> /><label class="form-check-label" for="kid1lap">Kid 1 laptop can access internet</label></div>
<div class="form-check form-switch"><input class="form-check-input" type="checkbox" role="switch" id="kid2mob" name="kid2mob" <?php if($kid2mob)echo "checked"; ?> /><label class="form-check-label" for="kid2mob">Kid 2 mobile can access internet</label></div>
<div class="form-check form-switch"><input class="form-check-input" type="checkbox" role="switch" id="kid2lap" name="kid2lap" <?php if($kid2lap)echo "checked"; ?> /><label class="form-check-label" for="kid2lap">Kid 2 laptop can access internet</label></div>
<div class="form-check form-switch"><input class="form-check-input" type="checkbox" role="switch" id="tv" name="tv" <?php if($tv)echo "checked"; ?> /><label class="form-check-label" for="tv">TV can access internet</label></div>
<div class="d-grid gap-2 col-6 mx-auto"><button class="btn btn-primary" type="submit">Accept</button></div>
</form></div></div></div></body></html>



and added action script: submit.php
<?php
$json_file="io.json";
$json=['kid1mob' => 0, 'kid1lap' => 0, 'kid2mob' => 0, 'kid2lap' => 0, 'tv' => 0 ];
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
    $json=[
        'kid1mob' => $_POST["kid1mob"]!="",
        'kid1lap' => $_POST["kid1lap"]!="",
        'kid2mob' => $_POST["kid2mob"]!="",
        'kid2lap' => $_POST["kid2lap"]!="",
        'tv' => $_POST["tv"] !=""
    ];
    file_put_contents($json_file, json_encode($json));
}
?>
<!DOCTYPE html>
<html lang="en">
<meta http-equiv="Refresh" content="0; url='https://mywebpage.com/net'" />
<head></head><body></body></html>
and that's all, from everywhere me and wife can enable/disable internet per kid per device using simple web page
and secured the page with password on cpanel

Who is online

Users browsing this forum: No registered users and 10 guests