wifi

1. I don't know what's happening to your DHCP, but I know a few things about wireless security.
2.  
3. If someone is trying to get into your network via wireless, and that person knows what he/she is doing, it's too late for ACL's!
4. This person already know all MAC's connected to your AP.
5. The short technical explanation for this is that an attacker, would send something called "deauthentication requests" to your AP, and listen for the clients trying to connect again, and get your MAC addresses.
6.  
7. Like someone said earlier in this thread "changing MAC is trivial".
8.  
9. Here is what I suggest:
10.  
11. 1. Change your wifi-password (only use WPA2-personal, and only AES). And make it a long one!
12. 2. Consider setting up a Radius server for wifi-client authentication on your network :-) (Please don't ask me how, yet.)
13.  
14. Good luck...
15.  
16. edit
17. Like I just said, I don't have a Radius server, yet, but I'm planning on it.
18. Someone wise on this forum once said; "take small steps".
19. This is _very_ true if you are a first time pfSense user, like me.
20.  
21. As of now, before pfSense, my personal wifi safety routine is as follows:
22.  
23. I only use WPA2 with AES. If someone comes to me with an old Mackbook or Windows XP machine that only supports TKIP, I tell them to piss off and buy a new machine ;-).
24. I use a 55 character randomly generated password, that I change _once_ a month!
25. I email my friends/clients the new password a day before I change it.
26. I also make a QR Code that's easy to scan using this service: http://blog.qr4.nl/QR-Code-WiFi.aspx
27. When I have guests, I power up a cheap Wifi-router (WR841N) with an open network. This is configured as a "isolated AP". When they leave I unplug it.
28.  
29. PS. I will argue that the words wireless and security should never be mentioned in the same sentence or document.
30. /edit