I have 2 routers right now. mainrouter, and guestrouter. mainrouter is running dd-wrt. clientrouter is running the default firmware.

mainrouter has MAC filtering enabled as permit only the specified clients. It also has a WPA2 password.

guestrouter has no security key. It has MAC filtering disabled. When I try to connect something to mainrouter directly, it seems to work fine. If the MAC isn't in the router, you aren't getting on, even if you know the password. However, in clientrouter, it seems to let everyone on. I didn't know this, because I thought that the MAC filtering in mainrouter would be enough. guestrouter is connected by a switch (or two?) to mainrouter. I believe that guestrouter has permission to access the network.

How to I stop people from getting on guestrouter without requiring a password as well? Do I need to enable the MAC filtering in the same way, and if I do, I'd want all the same clients to connect to it as in mainrouter, so since there is not enough slots in the MAC filter to put them in, I'd have to also flash this as DD-WRT. Please answer these questions.

Hi,

the MAC address is only transmitted on layer 2 - between direct attached devices. The wlan router works on layer 3, so each data packet receiving from your guestrouter contains the mac of the lan interface.
I would disable mac filtering, because it is very easy to spoof and does not give you any security benefit (see e.g. software macchanger)

To control access to your network you could switch to WPA2-Enterprise and create WLAN credentials for every client. I remember that wrt has a package to setup a needed radius server. The plain firmware of your guestrouter should be able to query it. As I mention before access control based on the mac address is easy to overcome. You could create a default account on the radius server and print a letter with the credentials for your guests.

But to answer your question, if you want to control access based on the mac, you've to use the mac filter on the guestrouter, too.

It seems that this unmentioned router doesn't enforce mac without a password. I can't tell if that is by design or not yet.

mainrouter is Linksys E2500, with dd-wrt which by the way is the only firmware it was a stable router with. guestrouter is Linksys WRT-54G, with the default firmware. These are the only two routers. I agree that at some point I'll have to learn how to do radius, but for now, if I could get it to work the way it is, that'd be great.

The only device I've had some trouble connecting is the iPad with the way it is right now. It doesn't seem to like WPA2 or something like that. I could go with WPA or if I have to WEP if that's the case later, but for now I want to try to make it work the way it is.

mainrouter is connected to the Internet. guestrouter is connected by it's WAN port to a switch (or two, can't remember the exact configuration) to a LAN port on mainrouter.

P.S. - If the only problem might be needing a password, I think I could do that. Should I check?

I think I will check if giving it a password helps. I'll check when I get the next break from running genhdlist2 on vweb. I'm running genhdlist2 again because it was having some trouble installing the software on vweb, and I'm thinking it's because the files that make it into a distribution source got corrupted and it can't find the software. This seems to be a fairly common problem for me. This step usually fixes it. Right now vweb is saying:

So I need to finish running it first. Don't want the network to have problems while the router is being worked on... P.S. - It has been saying that most of today, so it probably will continue until tomorrow morning.

It crashed and uped itself to ~10000 rpms. I'd been running it all day. I'm re-running it. But in the mean time, without it affecting that, I was able to add a password to guestrouter. Haven't got a chance to test it yet. I'm away from home. But I will as soon as I get home and get the time there.

I set a password and it still lets me on with an unauthorized device, if you know the password. Therefore, most likely, stekahelo was right of the two answers I got.

I will have to reflash guestrouter with dd-wrt, because the default firmware does not provide enough MAC slots. But that's okay, I can simply reflash.

I tested to see if an unauthorized device can connect to mainrouter with it's MAC filtering and it cannot. The device I was testing said that it was a bad password. I know I typed the password right, so it really is it's way of saying that it's unauthorized to get on.

I think that other devices will accept the password and just not connect right. But whether they do it as they're supposed to, is untested. But if the iPod did that, I think the others will fail as well.

I think the MAC filtering is working as desgined. It just appears that some router firmware makes you enter all MACs to be authorized, while some MAC filtering allows a router that authorizes it's WAN port free access for anything on it's LAN as well. The later is the case with DD-WRT. I had to authorize the WAN though, because otherwise guestrouter won't work at all. Therefore, I think I prefer the other way, but that's okay...

Thanks. I'll reflash, and retest, and let you know how that goes.

I had trouble reflashing, so to save debugging trouble, I simply replaced it with a known working good router. It is a D-Link DI-524 that still runs. It became the new guestrouter and is able to use the number of MACs I needed. Probably an infinite number as far as it's memory can store. That will work fine. It took awhile to re-enter all MACs that I wanted it to have, but once that's done, it should work right. Now that that's done, I can test it. I'll test as soon as I can and see what happens.

The security now works as designed.