I bought a Flint 3 and received it about 2 weeks ago. Love the router, everything works great. However I am running into a bit of an issue. So, I set up my MLO network, which works great. However, I also have some smart home devices, which don't support WPA3. Which isn't an issue in and of itself, since I can set up a separate 2.4 GHz network just for them, set it to WPA2 and that's it. Additionally, since WPA2 is cracked, at least technically, I set that network up with a MAC filter. I can't set up just that network to be allowlisted through the GL.iNet admin panel, either all networks are blocklisted, or all are allowlisted, but it is possible to do via LuCI, which isn't an issue. But, whenever the router reboots, for some reason, the devices just can't seem to reconnect to it. Whenever the router reboots, I have to go into the settings, add a new MAC address to the allowlist, disable the MAC filter, reboot the router, turn the MAC filter back on, and, finally, remove the newly added MAC address again. Hence, a question. Does anyone have a solution that would fix it? Because it seems to me like at startup the GL.iNet admin panel is overwriting some settings and it's confusing the router until all the settings are manually rewritten. And since I have to reconnect my smart home devices every single time, it isn't a pleasant experience.
Assuming your IOT devices can be placed onto a separate network, and you can communicate to them through the internet (via the manufacture's server or something), you can mimic the setup for the Guest wifi and create a IOT interface, then a IOT 2.4 Ghz wifi.
Lock down the ports so it only has access to DHCP and DNS, make it so the devices are isolated on the AP, and you should be golden.
Anything connected to your access point should not have access to your router or anything else on your network.
At most the attacker would just be able to browse the internet.
Assuming you aren't extending this to another AP or anything, this should work fine.
I can add instructions later if you want to go down this route.
As far as I understand it can only be cracked if the connected devices downgrade to WPA2. But all devices I tried to downgrade to WPA2 myself when tested (by switching the router to WPA2) always ask something like "This network used to be WPA3, now it's WPA2, are you sure you still want to connect?", which would be an obvious giveaway that something's gone wrong.
I'll take your word for it. I loath Wi-Fi because of this sort of nonsense. I shunt everything thru a WG &/or TLS tunnel. At least then I have a better chance of changing out the ciphers if/when that time comes.
That's the thing, I don't want the attacker to be able to browse the internet. Otherwise I'd just put them on a guest network and call it a day. How I am getting around the issue now, is I have an old router connected to the Flint and I run a separate Wi-Fi network off of it (the channels are configured so they don't overlap) which only the smart devices are connected to. And that network has MAC filter allowlist on it. And it works fine. Even when both routers are rebooted. Which makes me think that it's the GL.iNet admin panel screwing something up. Another evidence supporting this theory is that even after disabling the MAC filter on the Flint it still doesn't allow other devices to connect to the network, until I add another MAC address to the list, which rewrites it, disable it and THEN reboot the router, which seemingly fixes whatever was overwritten by it. After which I can turn the allowlist back on and it works just fine.
You could use wpa3 just fine, the default value for OpenWrt about pecking is not the vulnerable one which otherwise would result into a dragonblood vulnerability.
Although wifi is never 100% safe and secure, in my situation I fixed that by using a wireguard vpn, even if a attacker would gain access on the same subnet then he has no internet, and neither he can read the data which i sent to the router, even if they would decrypt wifi frames with krack or kr00k they still see wireguard frames.
Although I use multi psk, so obviously I can't prevent a attacker on a different network and alot of iot devices dont have vpn client capabilities, so the vpn is only for my most important devices like a smart phone, tablet.
So far it works great, but it will cause higher latency so for streaming moonlight that is maybe something you don't want.
Unfortunately i don't think this can be done with the vpn software in the gl ui.
Sorry some confusion about the use and failed to meet your requirements/scenario.
The current black/white-list of GL GUI is aimed at the clients of all interfaces that are connected, and does not distinguish which interface is the clients connected.
I will submit request to PM team for evaluation of more refined black/white-list management.
You can use Luci to configure Mac-filter, I have tested it on my side, restart the router, and it is still able to refuse the specified client to connect to.
Well that's interesting. Because when I set it up through LuCi (except with allow listed only), for some reason it doesn't work after the router reboots. Which might be an interesting issue in an off itself. Could if be due to the fact that the GL.iNet admin panel effectively assumes everything should be set to blacklist (but with no addresses added to it), so it doesn't mess things up when it comes to a blacklist (same as yours), but does when it's an allowlist, but all other interfaces remain blacklist with no addresses included?
You could be onto something. I have the sneaky suspicion this may be be another case of the GL firmware 'doing it's own thing' rather than, IMO, just making the appropriate uci calls that LuCI would use (ref: WG confs, static DHCP).
I don't think one would need to reboot the device. /etc/init.d/network restart should do it, shouldn't it?
It's possible the luci is not fully compatible this is due to QSDK or MTK SDK, I know from the older days with Flint 1 I had to resort using the iw command to set whitelist/blacklist, and this never got saved, so I was forced to use it as a startup command.
I'm not sure if you have access to iwpriv command though.
But I used to use these sets of commands:
^ note only the non karma ones, i guess the karma is not something default in iwpriv.
