Which of these is a vulnerability of mac address filtering?
Sometimes I need to configure the router and choose which devices can connect to my network (MAC address filtering). For example, limit connections to 3 specific machines. But for an advanced user, it is possible to get my MAC address and change it easily (e.g. On a Linux machine using a simple command line macchanger --mac xx:yy:zz:tt:aa:bb wlan0)
According to gowen fawr, if one of my 3 machines isn't connected, it's possible for an advanced user to reconnect in its place.
To get more security features, what is the right configuration of MAC address filtering: enabled or disabled?
You asked - Which of these is a vulnerability of mac address filtering The answer is - While the duplicate that people have linked to does cover most of the story, there's actually a way to make MAC filtering work: enable client isolation.
Client isolation prevents individual WiFi clients from communicating with each other, effectively segregating their traffic. Since in order to know the MAC of a legitimate client you'd need to see traffic from one, this makes it rather difficult to identify a valid MAC and spoof it. The downside of this, of course, is that your WiFi devices can't communicate with each other. This also only works if you've got no whitelisted devices on the wired LAN side and your MAC filtering doesn't differentiate between interfaces (otherwise you can just sniff a whitelisted LAN device's MAC from the WiFi, then spoof it). There are scenarios where this kind of control makes sense, e.g. a guest network AP where your users only need to be able to reach the internet and not any internal services.