We have an all UBNT WISP. We are currently using Access WDS mode with mac filters only allowing our Station WDS with the mac enabled on the access point access. We are also using WPA2-AES with a preshared key between the access point and subscribers.

The problem we are having is everytime I add a new subscriber, I have to enter its mac address in the access point and then reboot my access point. This wouldn't be a huge issue however we are also providing VOIP services to our end users and calls are being dropped when I reboot the access point.

There has got to be a more secure or a better way of doing what I am wanting to accomplish, any ideas? Any help would be appreciated.

if thats a problem for you, don't use it, or use a mask instead: 00:15:6D:FF:FF:FF

of course it allows all 16 million or so of mac's to connect, but mac filter isn't security, just the same as channel shifting

well i am also using channel shifting. But I don't want anyone off the street to buy something that can connect to my network, what are my other options?

and also add 00:15:6D:FF:FF:FF does not work

Well, you are saying you have WPA2 on, so nobody can connect without proper password.

The mask i had set up on older UBNT gear, pre-airmax, it was quite some time ago and i might not remember correctly if it worked fine with wpa.

Someone smart enough can join your network with any gear hi likes, just by sniffing you mac's and changing his. Like i said, mac filter is not a proper security.

I will test your case with my testing ap i have deployed in a moment, i have wpa2-aes on and will add mac filter with the mask...


...it is working so you are doing something wrong here

when i am testing this in my lab i am not using wpa, i have the security on the ap and the station to none, i enable the mac filter with 00:15:6D:FF:FF:FF and my station will not connect. Either way all i am trying to do is make my network secure, I would like to do radius but have not been able to get that to work. What would you recommend for security since the mac filter is not really that secure?

just use wpa2, radius should do but i have no experience

k, yeah we are doing wpa2 with a shared key, just didn't really know how secure that was.

its better than mac filter, mac filter is not security, wpa2 is

Well you could use some sort of other authentication like PPPOE aswel... something like a mikrotik RB with a pppoe server setup and every client has a user/pass ... so even if they guess or get the wpa2 key and join .. still they cannot access anything without the Auth. first.

all of our clients are ubnt nano's or rockets

I have not yet deployed our Airmax network, but as I have not had any luck in running the radius hack I have implemented the following in my pilot build:
Custom firmware build running:
10Mhz (so network is not visible to standard wifi adapters)
WPA2 PSK
Password to prevent access to CPE
EBTABLEs to allow only PPPoE traffic to traverse the br0 interface

I am hoping VLAN tagging and Radius are officially integrated into AirOS5 soon though!

Any one know if they are tyring to add Radius anytime soon?

mikrotik rb was an example , any pppoe server will do, and a nano or whatever as pppoe clients.. I suggested it as it is one more way of adding a layer of security to the link.
The way we run it (in a test link) is with a mikrotik rb450G , connected to the network backbone and the basestations , so ... mikrotik <> bulletm2 in ap mode with sector panel <> bulletm2 in cpe mode and pppoe client, but anyway.

Any one know if they are tyring to add Radius anytime soon?

UBNT has told us that there are somehow more important things on the agenda despite the amount of WISPs crying out for Radius and VLAN tagging support... But apparently its on the "to do" list

i am not really worried about securing the link other than encrypting it with wpa2. my main concern is I don't want some random person to purchase a nano put it in station mode and connect to one of my base stations and get free internet.

Why not put a captive portal device at or near you gateway and enable billing, you might even get a few paying customers that you didn't have to install the hardware for yourself !

Why not put a captive portal device at or near you gateway and enable billing, you might even get a few paying customers that you didn't have to install the hardware for yourself !

Problem with implementing a captive portal in this kind of environment is you can cause performance degradation by allowing non Airmax clients on to the network. It all really depends what your trying to achieve though.
We promote self install to our customers but we use a custom firmware to lock the device to our network so it is point and shoot for the customer.