How to increase Wi-Fi security with PMF Protected Management Frame

Hello
I am an amateur security guy and I like performing tests on my own devices to see how can I protect them better and discover their vulnerabilities and hopefully mitigate the risks. I have a Flipper Zero device with a Wi-Fi development board based on ESP 32, where I have installed a custom firmware so that I can do penetration testing and vulnerability scanning on my Wi-Fi.

With a simple click, I can send a de-authentication frames from my Flipper Zero device and deauthenticate ALL my personal devices connected to my 2.4 GHz network immediately. With the permission of my neighbors as well, I successfully deauthenticated all their Wi-Fi 2.4 GHz clients without knowing their Wi-Fi passwords, and this is something that I want to avoid on my network and advise my friends on how to protect their networks as well.

My friend who is working as a network engineer in a big company, gave me some suggestions on how to mitigate this, by enabling the feature called Protected Management Frames (PMF). When PMF is enabled, such attacks from the Flipper Zero would have no effect and I cannot deauthenticate devices protected with PMF.

  1. Is it possible to manage and enable PMF in GL-6000? If YES then how?
  2. Are there any performance drawbacks?
  3. Are there any known issues or bugs?
  4. Is there a minimum OpenWRT firmware to install for PMF to work?
  5. My GL-6000 has the latest Beta FW 4.7.0 available to this date

Thanks

Easiest way: Choose WPA3 instead of WPA2 or less.
PMF is mandatory for WPA3

depending which firmware you use, i recomend the op24 version for this.

just go to network -> advanced settings.

login with root and password is the same as your router from gl ui.

then navigate to network -> wireless and edit one.

click on the tab wireless security and set it to optional.

please note that not all devices support PMF, this goes both ways so best is to set it to optional for wpa2.

and like @admon said if wpa3/sae possible that is the better option.

Hi @admon and @xize11
I just wanted to let you know that I managed to fix the issue. When I upgraded my router to the latest beta version, at that moment it was version openwrt-mt6000-4.7.0-1011-1728640968. This version has some bugs and in fact, if I configure the router's Wi-Fi to use WPA2-PSK/WPA3-SAE then my legacy devices that used to connect with WPA2-PSK will not connect. So I reverted back to the latest original firmware available but I did not like the few VPN options I had in the original firmware, hence I redownloaded the latest beta firmware. Little did I know that even though it says it is version 4.7.0, the latest file name I downloaded is openwrt-mt6000-4.7.0-1018-1729252345 which is a different beta build than the first beta firmware I used and this one worked better, not exactly the best but at least I could connect my legacy clients! My legacy devices can connect using WPA2 and newer capable devices use WPA3 with Protected Management Frames. In fact, if I run my de-authentication attack on my own device, my WPA3 clients do not disconnect. Surprisingly WPA2 clients do not get kicked off the network as well!

I said this firmware worked better but not exactly the best because on my Samsung Galaxy Note 9 (legacy that does not use WPA3 or Wi-Fi 6), can connect to both Wi-Fi 2.4 and 5.0 GHz, but my device never memorizes the Wi-Fi password. I performed a Network Reset on my Note 9 and now I have no network configured, when I connect to my GL-6000 network, it always asks me for the password and never gets saved, other networks work fine, but my phone cannot memorize the GL-6000 network settings and I am forced to enter the password each time I try to connect.

The lessons learned from this router, is that beta firmwares have the same version (like 4.7.0) but different builds and I have to pay attention what build I have with respect to the available build and perform an upgrade if there is a new build

Thanks

At the end, the best solution for the time being with the current beta firmware is to have the two Wi-Fi networks set to WPA3 only and connect modern devices to this network, and enable the guest network with WPA2 only and connect legacy devices to this network.