Access Control not blocking Apple devices

Guru - Experienced User

Jan 19, 2021

sunnyorlando wrote:
The repeater is set up to mimic the settings of the actual router. I do not have seprate controls for SSID, passwords or Access Control for the repeater - its all based on whatever the settings ar for the router. That is an option you can select when you set up the repeater.

Agree the SSID are taken over from the router, by default with the added _EXT postfix.

Strongly doubt there is any integration when it comes to white- and black-list ACLs (as available on the router), while the extender does only support ACL as a back list as per the NETGEAR N300 WiFi Range Extender Model WN2000RPv3 User Manual p.36 "Deny Access to a Computer or WiFi Device".

The N300 WiFi Range Extender Model WN2000RPTv3 Quick Start Guide does have a section "I enabled a WiFi MAC filter, WiFi access control, or access control list (ACL) on my router. What should I do when installing the extender?" on p.18. it also explains that the extender does make use of translated MAC addresses which require to be added if using the white list feature on the router.

sunnyorlando wrote:
I kind of figure its not an apple issue per se, but it only happens with Apple. All other devices that access the WiFi need to be arpproved via Access Control. And that what Im truing to figure out.

Somewhere between very unlikely (any kind of overflow on the MAC ACL white list?) and impossible.

Please show the example based on the disabled Private Address (read random MAC) "feature" on an Apple (what is very broad), the connected device information on both the router and the extender, and any white list entries on the router - screenshots and more would help.

sunnyorlando
Aspirant
Jan 19, 2021
Attached PDF with screenshots:
> '1' is whats connected right now - iPhones are not here now
> '2' is what is not connected, but iPhones show as allowed
> '3a and 3b' - is what the blocked list - shows the same iPhones that are also in the 'allowed but not connected' list '2'.

Thosie iPhones have been blocked several times, then they sho up with differnte MAC and automatically get connected without approvals. I'll have to wait until it happnes again to see them connected to the router AND show up in the not allowed list - by name, not MAC because it changes.
And BTW - when connected, its to the main router (wireless3.2.4_OF), not the EXT. You can see the extender listed in the connected devices Image 1 at the bottom. So whatever the EXT functionality is, I don't see it affecting the rules of the main router if nto connected to the EXT. Right?
And an iPhone shows a wired??
And I don't get how that one IP that shows with 192 IP range. Its a 6c:B:CE MAC and it comes up as a Netgear product but I cant figure what it is, how is that getting a 192 when my private range is 172?

Router images.pdf292 KB
- schumaku
  Guru - Experienced User
  Jan 19, 2021
  To understand more how these extenders work, please also check (and post) we need also the extender table with the real MAC (used between the client and the and exender radio) and the virtual MAC (useed between the extender and the router radio) - ideally with some example clients connected.
  
  sunnyorlando wrote:
  Thosie iPhones have been blocked several times, then they sho up with differnte MAC and automatically get connected without approvals.
  That would be not allowed in fact. The access does work based on the MAC address only. Device name or the like does not matter.
  
  sunnyorlando wrote:
  ... by name, not MAC because it changes.
  For a manged environment with MAC ACL, your known users must disable this "privacy" **** for your network (this is by all SSIDs offered) -> Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7 As you see, beyond of disabling the Private network feature for each SSID, Apple has not really a plan for people intending to use the (in my opinion mostly obsolete MAC security [as a bad guy, I am going to borrow one and wait till it disappears - easy possible with mobile devices]) in home or SMB environments - most have no managed MDM environments.
  
  sunnyorlando wrote:
  And BTW - when connected, its to the main router (wireless3.2.4_OF), not the EXT. You can see the extender listed in the connected devices Image 1 at the bottom. So whatever the EXT functionality is, I don't see it affecting the rules of the main router if nto connected to the EXT. Right?
  However you have named your router and extender radios - from the "wireless3.2.4_OF" name the name looks constructed of "wireless3" the "2.4" for a 2.4 GHz one, and then "_OF" why ever. If pairing a classic extender like yours would create a name like "wireless3.2.4_OF_EXT". How ever, why ever the networks were named or renamed - impossible to see form outside.
  
  Login on the extender and check what is configured there.
  
  sunnyorlando wrote:
  And an iPhone shows a wired??
  And I don't get how that one IP that shows with 192 IP range. Its a 6c:B:CE MAC and it comes up as a Netgear product but I cant figure what it is, how is that getting a 192 when my private range is 172?
  This could be directly related. The MAC address is the one from the extender, possibly this device had a different IP, probably it was wired to the router at some point. You can remove it from the list. Same for the Apple device showing up as wired.
  
  Bottom line - managing MAC ACL is a pain in general. Managing the classic extenders with the MAC translation makes it more difficult. Allowing this privacy nonsense (you know oyur users, correct?) on your own managed network makes it simply impossible. and last, the unlucky requirement that all radois (connecting to the same network!) have to be configued on dedicaed names/SSIDs. Confusion complete for everyone.
  - sunnyorlando
    Aspirant
    Jan 19, 2021
    Attched is the iPhone that is in the not allowed list, not connected to the router. Once agaian, the device name is teh same but the MAC has changed.

Forum Discussion

Access Control not blocking Apple devices