Community home

If you've never used a radius server it's a steep learning curve.

I suggest you Google for info on it.

If you have a pc connected and running constantly then you can install something like openradius on there. Otherwise there's online servers, like jumpcloud

So can we confirm that the THG3000 has a MAC filter for physical connections in addition to WiFi and we're not confusing this with something else.  It sounds like you are playing with routing and not MAC filters!

Be aware that for some mobile devices the default now is to use a randomised MAC address on connecting to WiFi - so if you've set MAC to deny all but authorised, you'll have problems!

Running a mixed WPA2/WPA3 setup can be a nightmare,  It's sometimes necessary to force WPA2 - so definitely not ready for the mainstream!

Why the need to disable the DHCP server?  I have a free range for static devices, and another for manual devices, but DHCP is neither problematic or a security threat!  For the amount of hassle to set up and maintain a RADIUS server is not justified by the minor amount of extra security.

I can confirm there are mac filters for LAN. What's just come to mind is wifi is also called wlan. What I'm wondering now is whether putting all LAN and WiFi macs into that filter would get it working.

Maybe my recommendation for a radius server was a little tongue in cheek, but it's a valid option.

You can force a device to use it's default mac.

The OP is concerned about unauthorised access to the LAN. I would understand that concern if disgruntled acquaintances had access to the LAN, but really how would they have access? If the op is that concerned about security then surely locks would have been changed before they even posted?

Afterthought - why be so concerned about LAN security when most routers have at least one USB port? 

---

@Ripshod wrote:

Afterthought - why be so concerned about LAN security when most routers have at least one USB port? 

---

You can't get access to the broadband/router via a USB port.

I still can't see the point of MAC filtering on the LAN? If someone can connect a cable to the router, they can press the reset button.

It may be possible to access the router via a USB device - if it's got the drivers in the router to allow a mobile dongle or connect to the internet via a mobile phone then it may be possible to connect other devices.

*I may have connected a Pi Zero as a DNS server on the HHG2500 at one point!  **Not something I can even do with the Asus GT-AX6000 without messing up other routing!

I guess the next question is:  Can the THG3000 be set up to force RADIUS authentication because otherwise, you could get straight around it using a static IP defined on the device itself?

Yes I have devices with 'Randomised MAC's but they seem to be ok...  don't know when or what causes a change, so far no issues there though.... 

The more worrying point is someone resetting the router, as mentioned....   at least it would be immediately noticeable when logging back in.  Any way to counter that threat ?

I'd imagine that any malicious actor in your property would have a lot more to do than worry about your router.

Brings us back to the question - how are these people going to access your home/premises?

Find a good electrician/repair tech and ask them to remove the reset button. 

---

---

@Ripshod wrote:

I'd imagine that any malicious actor in your property would have a lot more to do than worry about your router.

Brings us back to the question - how are these people going to access your home/premises?

Find a good electrician/repair tech and ask them to remove the reset button. 

---

A pair of sharp snips is usually good enough!