Is there a way to set an Asus router not to permit a DHCP assignment for a device that is masking its MAC ID? Apple iPhones and iWatches provide spoof MAC ids unless they the "Private WiFi address" setting is off. When off, they use their real MAC id. I would like to block out all "private" MAC id's so that I have a better idea of which devices are on my network. Getting all the users in my household to keep the setting off is problematic because Apple lists the network with a "privacy warning" when the setting is off.
Locking out private wifi devices
- Thread starter pgershon
- Start date
ColinTaylor
Part of the Furniture
Are the "private" MAC addresses identifiable in some way? e.g. do the have a certain bit pattern. If they are and you're using a custom firmware like Asuswrt-Merlin you might be able to modify dnsmasq.
BreakingDad
Very Senior Member
Yeh Android are doing this now as well, so annoying. The only way round it I can think of is using mac filter to filter allowed devices only.
Tech Junky
Part of the Furniture
Just set a static IP for each device in their WiFi profile. Then anything pulling DHCP should be identifiable. With the static you can associate names to the IP for easy ID when looking at logs.
@pgershon and @ColinTaylor, I've just noticed this particular post (#26) by @unsynaps which may interest you guys (and hopefully others):
Unknown MAC Address in logs
Block it and wait for the squeals. See original post… i already tried blocking the mysterious MAC address via “wireless MAC filter” reject list, and when I applied the changes, both bands of WiFi went completely down. No wireless devices were able to connect until I reversed this filter. I had...
www.snbforums.com
Last edited:
dosborne
Very Senior Member
What is it you are really trying to accomplish?
The only benefit would be for some sort of logging / tracking.
If they know your SSID and password, they must be "trusted" to some extent already.
If you block the DHCP request, there is nothing preventing them from keeping the random MAC and switching to a static IP.
Knowing your real goal may help shape the answers
The only benefit would be for some sort of logging / tracking.
If they know your SSID and password, they must be "trusted" to some extent already.
If you block the DHCP request, there is nothing preventing them from keeping the random MAC and switching to a static IP.
Knowing your real goal may help shape the answers
sfx2000
Part of the Furniture
But once associated to an AP, the MAC addresses do not change for that association.
MAC randomization is a security/privacy feature, and should remain enabled if you value your privacy.
sfx2000
Part of the Furniture
If you have WPA2 enabled, and don't share passwords outside of your trusted household members, then you know who is on your WiFi.
MAC filters don't work, as MAC's can be spoofed, and someone with the right skillset already knows how to listen in for the "trusted" MAC addresses.
Logging / tracking is a fair description. We have several SSID's on our property. The indoor area, for the most part, is covered by an Asus mesh network. But one room in the basement has its own SSID, and the outside area has its own tp-link mesh, and the remote pool house has its own SSID. Apple privacy assigns a different MAC for each device in each SSID. Which multiplies the number of assigned assigned IPs (one for each MAC). I want to limit the number of IPs assigned per device regardless of which SSID they are on within my network.What is it you are really trying to accomplish?
The only benefit would be for some sort of logging / tracking.
If they know your SSID and password, they must be "trusted" to some extent already.
If you block the DHCP request, there is nothing preventing them from keeping the random MAC and switching to a static IP.
Knowing your real goal may help shape the answers
PS: I have tried unsuccessfully to make it all one SSID, but I have issues with fixed devices (light switches etc) which require getting into 5 gHz or 2.4 gHz networks, and the phones and laptops dont always disconnect from the SSID they left going inside to outside or to basement rooms. If i did it all again, I'd probably get all the same company's equipment (like the TP=Link Omeda I use outdoors), but that would be a big hardware cost as I had the ASUS indoor network first.
Tech Junky
Part of the Furniture
You should be able to configure all of them with the same SSID regardless of brand. They just won't alal be controlled form the same interface.
RMerlin
Asuswrt-Merlin dev
Do people also wear a random mask when they go out shopping, "for their privacy"? Do their car's licence plate randomly change every time they go on the freeway?
There comes a point where it causes more harm than good. Randomizing the MAC is one of these.
toaruScar
Regular Contributor
On iOS, MAC Randomnizing is not using a new MAC address everytime you connect to the same Wi-Fi.
It generates a new MAC everytime a device connects to a new wireless network, and will keep using that MAC address with that network unless user choose to forget the network.
sfx2000
Part of the Furniture
That comment doesn't hold any water - there's no privacy in wearing a face mask in public, and there's explicit permission given with one's registration plate on the car...
MAC ID's for BT and WiFI are tracked in many public venues, and with MAC randomization, there's less linkage between where the phone/tablet is, and the person that is holding it. If I'm in the airport, it's nobody's business to know who/where I am, same goes with going to the Mall, where "Forever 21" doesn't have any business pinging a static bluetooth or wifi device that it not attached to it.
Because privacy matters...
As I mentioned earlier - OP was concerned about "knowing" devices on his network - once an iOS device attaches to a secured network (WPA personal or enterprise), it's MAC address does not change.
MAC filtering, this is well known not to be an effective deterrent to limit access, so it doesn't solve the problem - having a secure password/passphrase, or using WPA-Enterprise and implementing RADIUS, this does secure the wireless network.
Last edited:
Tech Junky
Part of the Furniture
You could go 802.11x and auth by certificate and forgo the password completely.
www.securew2.com
Simplifying WPA2-Enterprise and 802.1x
What is WPA2-Enterprise and how does it compare to -PSK? What are the pros and cons of credentials versus certifications? Learn about WPA2 and 802.1X here.
www.securew2.com
Yota
Very Senior Member
Yes, the mall uses the hardware address of the customer's device to count traffic, which brand they stop at, and which item they might be interested in.
This is different from the license plate or your face in CCTV, which are protected by law and cannot be freely used by malls to sell products to you.
There are currently no privacy laws out there restricting this type of data collection, which would obviously violate privacy.
Mobile location analytics - Wikipedia
RMerlin
Asuswrt-Merlin dev
With modern facial recognition technologies and security cameras being present everywhere, it sounds like just the same thing to me. A store can tell how often you visit, which products you look at, and what you are buying or considering buying. And unlike a phone's MAC address, they can link you to a name, as you are going to swipe a credit card to buy what you buy. Yet I don't see people wearing a face mask whenever entering a store to avoid being filmed and tagged through facial recognition.
People should spend more time worrying about things like the fidelity plan card they carry around so they can get a free coffee after every 10 donuts IMHO if they truly worry about their "privacy".
Yota
Very Senior Member
Yes, they're all collecting information about you, but the difference is there's an opt-out there, you can pay cash, and no one's going to stop you from doing that.
And your face, there are laws protecting what they can and cannot do with your face.
For hardware addresses (not just MAC addresses), there is no option to mitigate this privacy data collection before this.
Also, when you swipe your credit card, you don't actually have to do any hiding anymore, it's like you're already logged into a website and you don't need to use a VPN to hide because the website already knows it's you anyway.
Random hardware addresses are designed to provide you with privacy before you become their customer.
drinkingbird
Part of the Furniture
With both IOS and Android using randomized MAC by default, probably just going to be a pain to try and block it. Disabling it in the phone isn't a great idea either as you say. I think Windows 11 also uses it but not positive on that.
However Bluetooth does not use randomized MAC as far as I know, so unless you leave BT disabled they can track you that way, and that is the most common/cheapest sensor in the stores that are doing that, especially now that they know the WIFI MAC is useless. They can even track your cellular signal which also does not randomize, though this is more expensive to do and less common. So having randomized WIFI MAC really isn't solving anything. Heck walk into an amazon store and the app on your phone along with their sensors and cameras tells them exactly where you go, what you pick up and put back, how long you looked at it, etc.
Along the highways here in MA they have signs telling you how many minutes to common intersections. Those look for any MAC address, even cellular, and count how long until it sees that MAC at the next sensor point. Of course with those, randomized MAC works fine as it only needs to know it for a little while.
Rip a fart these days and you'll see a banner ad for Gas-X on Facebook. Virtually impossible to avoid these privacy intrusions, every time something is done to help protect privacy they find another way to track you.
sfx2000
Part of the Furniture
If you absolutely need to - use Apple Configurator (it's in the Mac app store) to create profiles - you can do quite a bit (of damage), including disabling the MAC address randomization.
(Configurator, FWIW, it also the only way to configure Apple TV for Enterprise networks)
Apple Configurator
Apple Configurator makes it easy to deploy iPad, iPhone, iPod touch, and Apple TV devices in your school or business. Use Apple Configurator to quickly configure large numbers of devices connected to your Mac via USB with the settings, apps, and data you specify for your students, employees, or...
apps.apple.com
sfx2000
Part of the Furniture
For BLE, randomization does apply - which is the typical use case for BT tracking in commercial settings...
Bluetooth security
Apple provides numerous security features for the two types of Bluetooth it supports: Bluetooth Classic and Bluetooth Low Energy (BLE).
support.apple.com
Similar threads
Similar threads
Similar threads
-
-
-
T-Mobile ASUS TM-AC1900 (RT-AC68U variant) gets WAN IP and can ping Internet but connected WiFi clients indicate no Internet?
- Started by Maximum-Split-7860
- Replies: 7
-
Wired speeds are good but Wifi speeds are not on my ASUS router
- Started by Redinade
- Replies: 5
-
Wifi to Ethernet access point to add to pair of AX7800 Xt9
- Started by billrouter
- Replies: 5
-
Google Fiber 1GB XT8 router upload speed is about half my download speed on WiFi
- Started by Tigger86
- Replies: 6
-
-
-
-
Latest threads
-
Hyperotpic router replacement - will it solve my problem with connection dropping!
- Started by ACME NoLiFe
- Replies: 1
-
-
-
LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE
- Started by copperhead
- Replies: 4
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!