MAC address whitelist

Moderators: grovkillen, Stuntteam, TD-er

Post Reply
Message
Author
Ruba
New user
Posts: 5
Joined: 05 Nov 2021, 00:21

MAC address whitelist

#1 Post by Ruba » 09 Nov 2021, 22:24

Hi!

I know that MAC addresses can be quite easily changed, but still, it would give some little extra protection if we could create a MAC address whitelist for ESP Easy device.

I don't see many ways of securing my Iot network. One way would be create a completely hardware or virtual networks segment, but MAC filtering would also give some level of protection against some automated attacks or less knowledgeable "smart" guys.

Is there any ways to achieve MAC filtering?

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: MAC address whitelist

#2 Post by TD-er » 09 Nov 2021, 22:29

What should it be used for when filtering?
For example the existing IP-filtering is only used for web access.

It also is a bit tricky to implement as not all replies an ESP may give are done by the ESPEasy source code.
And when you try to access the unit from outside your network, the MAC address seen as source is the MAC of your router. (or L3 switch)

So this brings me to the question, what do you think to gain in security?
And just try to realize what you may add in complexity and troubles for yourself to manage it.

Ruba
New user
Posts: 5
Joined: 05 Nov 2021, 00:21

Re: MAC address whitelist

#3 Post by Ruba » 14 Nov 2021, 10:48

Thanks TD-er for your input!

Actually, what I am after is little more security in case someone happens to be in my local network and starts just digging around to see what he might see or control on my devices.

Possibly my approach with mac filtering is not very good as you pointed to multiple problems, but at least it is something. Only alternative I may think of is to isolate WiFi klients on my router, put them in separate segments and then create firewall rules to control which devices can talk to each other.

Perhaps you have a better idea how to secure my devices from local attackers?

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: MAC address whitelist

#4 Post by TD-er » 14 Nov 2021, 13:05

If your network allows it, you could consider to place all IoT devices in a separate VLAN.
Then either in the router, or in a layer-3 switch you could allow the routing between the VLANs.
If you really want to add some filtering, which is more than just a simple IP gateway, then you must do it in the router, not in a layer-3 switch.

The advantage of a VLAN is that you don't need extra wires.
Some access points even allow separate SSIDs based on subnet (or VLAN), so you don't need extra APs.

I am using one of the least expensive APs from MikroTik, the mAP lite for the ESPEasy nodes.
Those can be had for about 25 euro.
They even allow using separate SSIDs on the same AP and the VLAN tagging seems also present (not tested myself, as I have the VLANs separated on my switch and MikroTik router)
I do use these APs as simple bridge to my network, but they could even be used as router and/or firewall for your devices.

Those MikroTik appliances do have one major drawback and that's the rather steep learning curve.
You may be overwhelmed by the vast number of options, even on the cheapest models.

Ruba
New user
Posts: 5
Joined: 05 Nov 2021, 00:21

Re: MAC address whitelist

#5 Post by Ruba » 14 Nov 2021, 20:27

Thanks again TD-er!

VLANing and segmenting is the way I'll go. I am novice in Iot, but not afraid of complex networking with routing.

Your suggested mAP lite looks very interesting piece of hardware and software. It is small and very power efficient. Just 4W under maximum load. This is great for my sailboat project where every watt is counted. POE 802.3af is a nice to have feature and passive POE in a range of 11-57 volts even allows to feed it directly from regular battery. I didn't find anything about VLANs on description, but need to dig deeper to confirm that. If this one does not support VLANs, then his slightly bigger brother mAP claims to have full RouterOS capabilities which has VLANs as well. Very universal and impressive. Thanks for pointing this out!

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: MAC address whitelist

#6 Post by TD-er » 14 Nov 2021, 21:27

Don't forget you may also need switches which support VLAN tagging.
Those aren't that expensive anymore and some also support PoE. But I am not sure if PoE is that energy efficient.
TP-link does have a range of very basic switches which support VLAN.
Those are the ones which have an "e" in the number.
For example the TL-SG108E: https://www.tp-link.com/nl/home-network ... ifications
There is also a 5-port version and an eight port version which supports PoE on 4 ports.

On Tweakers.net I have written a review on the Cisco SG250-08 switch, which is a layer-3 switch.
Since I didn't find a lot of info on Layer-3 switches at the time, I have taken some effort in describing it and also something about routing and VLANs.
See: https://tweakers.net/productreview/2300 ... 50-08.html
It is in Dutch, but you can use Google Translate to turn it into any language you like :)

I don't think you should go for a layer-3 switch, but it is nice to know the concepts and differences between a router and a layer-3 switch and also getting to know something about VLAN.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 26 guests