Wi-Fi ACL on RouterOS 7 - The WPA3 Retreat

In my previous post I described my setup with WPA3 on the 5GHz band and WPA2 with MAC filtering on the 2.4GHz band. The idea was sound: modern devices get modern security, legacy devices get extra protection through access control lists. Reality, however, had other plans.

The WPA3 Dream Falls Apart#

After running the dual-security setup for a while, I started encountering more and more issues. Most notable was that Prusa MK3.5S which suddenly completely refused to connect, without a firmware update or router config changes to point to. There is a thread about it anyway. The frustration of it all led me to change the setup.

The WPA2/WPA3 Transition mode, which I was hoping would provide a smooth fallback, turned out to be not a proper solution as I suspected. Some devices would get confused by the mixed mode, attempting WPA3, failing, but not gracefully falling back to WPA2.

The Pragmatic Decision#

After weeks of troubleshooting connection issues that always seemed to happen at the worst possible moments, I made the pragmatic decision: WPA2 everywhere, but with compensating security measures.

The key insight is that WPA2-PSK with a sufficiently long and random passphrase is still considered secure for home use. The vulnerabilities in WPA2 (like KRACK) have been patched in most devices, and the remaining theoretical weaknesses require either physical proximity and significant computational resources, or a weak passphrase to exploit.

Security Through Length#

Instead of relying on WPA3's improved key derivation, I opted for the old-school approach: make the passphrase long enough that brute-forcing becomes impractical. My new passphrase is 24 characters of mixed case letters, numbers, and symbols. At that length, even with WPA2's less robust PBKDF2 key derivation, the search space is astronomical.

The math is simple: a 24-character passphrase using 94 printable ASCII characters has 94^24 possible combinations. Even at a billion guesses per second, exhausting that space would take longer than the age of the universe. Of course, I am not using a truly random passphrase - it is based on a memorable pattern - but it is random enough to resist dictionary attacks.

MAC Filtering on Both Bands#

With the switch to WPA2 on both bands, I extended the MAC filtering to cover the 5GHz network as well. Previously, only the 2.4GHz band had the reject rule since 5GHz was "protected" by WPA3:

/interface wifi access-list
add action=reject comment=reject-other-wifi24 interface=wifi24
add action=reject comment=reject-other-wifi5 interface=wifi5

Yes, MAC addresses can be spoofed. But an attacker would need to:

1. Know a whitelisted MAC address (requires monitoring my network)
2. Wait for that device to be offline (or deal with conflicts)
3. Still know my 24-character passphrase

It is defense in depth. Enjoy!

Links#

• https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
• https://help.mikrotik.com/docs/spaces/ROS/pages/8978459/WifiWave2+CAPsMAN
• https://www.wifi-professionals.com/2019/01/4-way-handshake