Reply

Re: Orbi Pro WiFi 6 MAC ACL with Wired Backhaul

Orbi Pro WiFi 6 MAC ACL with Wired Backhaul

I've been struggling with setting up MAC ACL security on my system.  With wired backhaul I've discovered the need to add all of my wireless devices to the "allowed" list under both the wired network and the wifi networks.  (except the "guest" network which on my set is exempt from this issue).  Took me awhile to figure this out.

 

Is this to be expected?  Or is it a firmward quirk that will ultimatly get resolved?  If this is working as expected please make an edit to the user manual indicating this.  Thanks.

 

I have not tested if I need to do the same with a wireless backhaul.  

Message 1 of 5
schumaku
Guru

Re: Orbi Pro WiFi 6 MAC ACL with Wired Backhaul


@stevethompson wrote:

I have not tested if I need to do the same with a wireless backhaul.  


Probably not - because this is a dedicated and isolated network.

 

The confusion is coming from the idea of a "wired backhaul" ... in fact, this does not exist (only in the simplified version using direct links between the SRx60 devices, making kind of a dedicated network again), for many others this is the users normal shared wired "work" network with switches, printers, computers, ...

 

One could dispute if the MAC ACL is intended to "secure" to limit the wireless access of the virtual radio, or if there is really more required like an MAC ACL filtering at both boundaries (Wireless SSID <-> Bridge and Bridge <-> LAN. From the pure practical view - who on earth does manage manage MAC white lists on switched networks (???) - in my opinion only the radio side should be covered.

Message 2 of 5

Re: Orbi Pro WiFi 6 MAC ACL with Wired Backhaul


@schumaku wrote:

The confusion is coming from the idea of a "wired backhaul" ... in fact, this does not exist (only in the simplified version using direct links between the SRx60 devices, making kind of a dedicated network again), for many others this is the users normal shared wired "work" network with switches, printers, computers, ...

I must admit, I do not understand what you are saying. 

 

But what appears to be happening is when a satellite is wire connected to the router any device that wirelessly connects to that satellite is treated as having both a wired and a wireless connection.  Such that when enabling MAC ACL on the wireless SSID it is possible to connect an allowed device to both the router and the satellite, but if MAC ACL is enabled on the wired pathway those wireless devices need to be enabled there as well otherwise they can only connect have access via connection through the router. 

 

This may be a bug in the MAC ACL implementation, or it may simply be a feature that comes with using a wired backhaul. 

 

Again, I am getting the full performance I need from my setup, but it took much trial and error to figure out how to make MAC ACL control work when using a satellite connected via wired backhaul.

Message 3 of 5

Re: Orbi Pro WiFi 6 MAC ACL with Wired Backhaul

Same condition exists with fw:  3.2.0.108

 

When satellite port 1 is wired to router port 1, wireless devices must be MAC ACL enable in both the appropriate wireless SSID and as a wired connection.

Message 4 of 5

Re: Orbi Pro WiFi 6 MAC ACL with Wired Backhaul

Here to chip in that I am experiencing the same issue as well.  The MAC list will change up randomly after some time, and completely disallowed devices will show up on sensitive networks.  Scary. 

 

When I look at attached devices, many of the wireless connected devices are showing up as ethernet connected, because I have both my satellites connected to the router via ethernet backhaul and it seems to have fooled the Orbi.  Strange enough, it appears that occasionally devices will jump between wireless and wired, seemingly at random, depending on which satellite it's connected to.  All routers and satellites have the most current firmware (3.2.5.102)

 

Consequently, this observation is in agreement with the above statement that MAC ACL must be done on the wired and wireless access list because the Orbi thinks these wireless devices are connected.

 

I tried for 48 hours to try to figure out a way to get the wireless devices to stop showing up as wired while using wired backhaul and still have been unable to figure it out.  I really do hope this gets resolved with firmware.  I think at this point I may have to disconnect the backhaul for now to make Access list management easier and to avoid any possible bugs that may be creating vulnerabilities....

 

 

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 371 views
  • 0 kudos
  • 3 in conversation
Announcements