Configure AirPort Extreme MAC filter ACL

Today I picked up one of the new dual-band AirPort Extreme base stations at Best Buy. The reason behind the purchase was so that I could use 802.11n for my iMac and Apple TV while using 802.11g for my iPhone, since this should give me the best wireless throughput for my shared files to the Apple TV.

After getting the DHCP, PPPoE, WiFi and network security configured to mimic the settings of the Linksys router that I replaced, I thought I was through, but then I realized that I still needed to configure an ACL to implement MAC filtering. For those who don’t know, a MAC filter on a typical router lets the admin control which devices will be allowed to talk to the router.

While there are some people who say that having both WPA2 encyrption as well as MAC filtering is unnecessary, I decided that I wanted to do both, since I am allowing the SSID to be broadcast for the convenience of visitors.

On my last two Linksys routers (a WRT54G and a WRT160N) this was simply a matter of checking a box and entering the allowed MAC addresses into a table. On the AEBS it require a little more work.

Necessary items

  • an Apple AirPort Extreme base station that is properly configured for your network
  • AirPort Utility
  • a list of the MAC addresses for the allowed devices

Step 1

Open AirPort Utility. On the main screen, double-click on the connected AEBS listed in the column on the left side of the window.

Main screen for AirPort Utility

Main screen for AirPort Utility

Step 2

In the configuration screen that comes up, click on the Access options.

Airport utility access configuration screen defaults

Airport utility access configuration screen defaults

Step 3

Change the default setting for MAC Address Access Control from the default to say Timed Access.

Airport utility access configuration set to Timed Access

Airport utility access configuration set to Timed Access

Step 4

In the configuration pane click on the default entry, then click the Edit button. This will bring up the Timed Access Control Setup Assistant window.

In the Timed Access Control Setup Assistant window click in the drop down menu that currently reads Everday and select No Access from the list. This will make sure that any computer or device with a MAC address that is not in the list will be denied access to your network. Then click the Done button to save your changes.

Timed Access Control Setup Assistant for default rule

Timed Access Control Setup Assistant for default rule

Step 5

Back in the access configuration screen, click on the plus sign in the left below the list of devices. This will bring up the Timed Access Control Setup Assistant window that allows you to add new devices.

In the MAC Address field you will need to enter the MAC address (aka ethernet address, hardware address, ethernet id, etc.) for your device. (Hint: If you are doing this for the computer you are currently using just click the This Computer button.) If you want, you can add a description for each device as well. I use the devices hostname when appropriate.

Then change the time frame that the device is allowed to connect if you need to restrict it to something other than the default of Everday/all day.

When you are finished just click the Done button to save your changes. Repeat this step for each device.

Timed Access Control Setup Assistant add device dialog

Timed Access Control Setup Assistant add device dialog

Step 6

After adding all your devices you should have a screen that looks similar to the below. (Note: I have obscured my MAC addresses to protect the innocent.)

Airport access configuration screen completed

Airport access configuration screen completed

Step 7

If you have added all your devices and you are sure you are finished, just click the Update button. This will save your configuration changes and restart the AEBS.

Final Notes

Understand that like the Linksys MAC filter, this only affects devices that are connecting over the wireless network. This is useful since it gives you an avenue for fixing any problems that you have run into. Also, if you run into a problem so extreme (pardon the pun) that you need to perform a hardware reset of the AEBS, follow the instructions in the Apple knowledgebase article Resetting the AirPort Extreme Base Station (Article No. HT1406).

  • Bruce

    Is there any way I could configure the Extreme Airport to filter out certain website addresses to prevent kids to play too much online games?

    • http://arfore.com/ arfore

      @Bruce, As far as I can tell there is no ability to filter content from within the interface of the AEBS.

      There are a couple of ways that you can approach the problem:

      1. Install any of the myriad of filtering packages available on the Internet. One of the first ones I heard comes to mind NetNanny.
      2. Another is to use the parental controls available from many of the large ISPs.
      3. A third would be to use something like the OpenDNS system that allows you to have a “local” network and configure the content filtering preferences. Check this article for more information on that.

      Hope that helps some.

      Andy

  • Marius

    Thanks for this very helpful walkthrough. Had been struggling a bit to set this up properly.

    Cheers
    Marius

  • buederich

    Hi, the icon in the first picture shows a time capsule or AirPort extreme. Do you know mac filtering works at a AirPort express? Thanks, Buederich

  • http://arfore.com/ arfore

    @buederich

    I have no idea if this process works on an Airport Express. I would imagine that it might, but I don’t have one to test it with.

    Andy

  • http://faelanblair.com Faelan

    Thanks for the help. I appreciate it.

    Here is a concern someone might be able to address:

    I have both an Airport Extreme and an Airport Express. I set up MAC controls that required even the Express to be registered in the Access list. All well and good.

    But, in the Airport Utility, if you click on your Express, there does not seem to be any way to filter for MAC addresses. So would this mean that my network is still vulnerable? I would think if someone can get my password somehow, and log on via the Express, then they can bypass what measures the Extreme has enabled.

    No?

  • http://arfore.com/ arfore

    Faelan,

    If the Airport Utility doesn’t allow you to apply the same sort of filters that the Airport Extreme has, then any device that can connect to your Express essentially gets piggy-backed into the network due to the fact that the Express is white-listed with the Extreme.

    Could this potentially allow a hole? Yes. If some with a Mac acquired your password for the Airport Extreme, then they could open Airport Utility and alter your settings.

    I don’t have an Express so, I can’t actually verify this would work, but this has been the case with other network extenders that I have used.

    My suggestion would be to not only implement the MAC filtering, but to also implement network encryption as well.

    Andy

  • http://faelanblair.com Faelan

    Thank you for your advice.

    What exactly will the encryption do? And does it affect the speed of the network?

    Thanks

  • Earl

    Can you place multiple time (internet) restrictions on one device, ie: internet access from 5 to 6 pm and then again from 8 to 10 pm?

  • roger

    Yes you can. Granularity includes by day, week, weekend, and time. Simply add more access rules.

  • Jim

    Can the base station be used to control Ethernet access as well as wireless access? So far I have entered both wireless and ethernet Mac addresses and wireless is stopped IAW the set times, but ethernet can access regardless. Help. And thanks.

  • Mark

    Great info, Thanks! Any chance this can be done with the wired side? In my old linksys routers you can mac filter out what computers on the network have access to the internet. If filtered they can still access the wired network but have no internet connection. Can this be done?

    Thanks!
    Mark

  • Pingback: Website outage

  • http://www.robthecomputerguy.com Rob

    This blog entry comes up in early google search results and it’s absolutely wrong to use MAC filtering and WPA security on a home network, it’s redundant, and by telling anyone that it is a sound thing to do, you’re giving out bad advice. From the looks of the comments here, I’m guessing you moderate comments and have not posted the many people before me who have told you this as well.

    Your reasoning for using both because you broadcast your SSID the convenience of guests would be irrelevant because you’re going to have to go in to your airport software to make a configuration change to allow them to access your network! What convenience is it to a guest to say “Yes you can use my wifi when you give me your mac address” … sheesh! Turning on your SSID for the convenience of guests is unnecessary, just make your SSID something easy to type in.

    The point behind MAC filtering is that you don’t need to secure the network any other way, and all this other stuff is to make things user friendly. If you have to go in and make all these changes to your system to allow a guest, then it’s not easy or user friendly. Get with the program man and don’t go giving out nerdy advice like this!

  • http://arfore.com/ arfore

    @Rob: Thanks for your insightful comment. Dang it, the sarcasm tag still isn’t an html standard.

    Actually without knowing how I use my own network you can’t easily make such pronouncements. Enabling WPA security on my network has more to do with encrypting the wireless traffic itself than keeping other people off the network. I realize that the “program” says that my method is redundant, however the AEBS has a guest network functionality built-in that allows me to have separate network configurations, one for permanent “guests” (i.e., those people that use the network regularly, but don’t reside in my apartment) and those that may drop by on an occasional basis (i.e., people like yourself, however from your tone, I am not sure that I would want you in my apartment).

    In case you haven’t used one before, there are some devices that still need to see the SSID in order to connect, whether they have been explicitly allowed or not, besides it’s much more convenient to select a network name from a menu than it is to have to type it in every time.

    As for moderating the comments, I do, however I have nothing against allowing comments that disagree with my own opinions, hence the approval of your own comment. Before you go assuming that I would purposefully delete comments that might come in on the other side of the issue, you might do well to learn something about the moderator of the blog. In point of fact, you are the sole commenter to have had a truly negative and worthless comment to post.

    Thanks for playing the friendly game of “There’s more than one way to configure a computer peripheral” and while you are at it you might want to play “Let’s all try to be civil and not jump to conclusions.” Oh, and if you are in the market for the proper attire for the second game ty this on for size:

    http://www.thinkgeek.com/books/humor/8e6c/images/2070/

    And while we are at it, you might want to rethink your third paragraph. The point of MAC filtering is to keep unauthorized devices from connecting. The point of WPA encryption is to keep nefarious individuals from sniffing your traffic. I never said that I was broadcasting the SSID to allow the great unwashed into my network. The word guest has many meanings, none of which I would readily apply to you if you showed up at my door.

    • Seii

      LOL, I love how you handled your answer here. Nothing too much, and in the same time nothing left out :)

      There is so many people just like him out there, and that’s what’s so scary about all this. Your intentions posting this MAC filtering advice were nothing, but great advices and I just want you to know (if it’s worth any), there are some people who appreciate all this.

      Thanks again!

  • Kevin

    The Mac Access Control doesn’t seem to affect the ethernet connections on my Airport Extreme. I have 2 unlisted units attached and they access without a problem. My old Linksys (Ethernet wired) router worked effectively with feature enabled.

    Also, I have another Airport Extreme (Older) hooked up as a client on the ethernet port of the new one and I can’t find the wireless unit (G4 OS X 10.4 Original Airport card 801.11b WEP security) connected to the older one to share files (This may need to go on a different topic, perhaps).

  • Baris

    I had been using Mac Filtering on airport extreme until all the pcs and macs started to loose connection in every 10 minutes. I wonder if anyone else had this issue. Any advices are welcome.

  • Ricky

    Thank you for this helping hand walk through.
    Can you also help out with this…
    How do i make a way for my childrens friends to connect to our network BUT only from time to time, is there a way of creating a kind of guest connection.

  • Seii

    I hope Andy, you’re still watching this page :)

    Hi, this works perfectly, thank you for your time explaining everything in details. It’s greatly appreciated.

    I have one weird problem though. After everything is configured, all my devices I allowed to connect are able to connect without any problems. The only thing is, I can not access my Airport Extreme through Airport Utility anymore. It simply won’t find it. Am I doing something wrong?

    Any help is greatly appreciated,
    Thanks in advance

    PS. This is a screenshot of what I get when trying to fire up my Airport Utility. I am basically totally unable to configure my router
    http://i.imgur.com/o4OIq.png

  • Seii

    Hmm, very weird. It looks like this was happening after I let the Airport Utility do a reboot when requested (after configuring all MAC filtering rules).

    I just tried manually turning my Airport Extreme off (unplugging cable) for about 10-15 seconds, and after turning it on again, I was able to access it without any problems. Everything works great now. Not sure why, but it seems like this worked.

    Hope this can help someone with same problem…
    Cheers!

  • JMK

    Hi Andy
    Is there a limit to the number of MAC addresses you can enter? What if I wanted to add 100 mac addresses and use WPA. I do not have an Airport but looking fro a vendor that supports both MAC filtering and WPA.

  • http://www.hostway.in Makarand

    I wanted to know that how many MAC addresses I can put into Mac address filter list. Is there a limit to add hosts.
    In my office there are at least 50 employees who access the internet through wireless network. I want add all of these MAC addresses to MAC address filter list.
    Can some one help?

    Thanks in advance.

    -Makarand.

  • flakefrost

    there’s a new airport coming out in a coule days :)