Menu
What's new
By:
Filters Better Search

MAC address filtering - Wired + Wifi?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

JohnB_123

Regular Contributor
Is there a home-based router that someone can recommend that only allows approved MAC addresses to access the network -- including wired clients? Ideally pairs this with a time/scheduling capability. I essentially want what's in ASUS' WRT router firmware & mobile app, but without the 16 device limitation AND the ability to default to block all non-approved MAC address clients. Netgear Armor is very close but I believe it is only for wifi clients, correct?

There's a very crafty teenager in my house that has figured out to IP spoof, use VPN clients, etc to evade time restrictions. After blocking ports, using router controls, using restrictive DNS, pulling the cable, etc -- I've resorted to pulling the PC from his room until I can figure out a method to truly restrict access after a certain hour.
 
Mac address blocking is an obsolete method to control access to a network.
 
OK, here's my problem: controlling access to the internet by time for specific clients (wifi and wired).

How do you suggest doing that?

Today, Asus does this by associating MAC addresses with users. It has a 16 device limitation and can't handle putting limits on a) spoofed MAC addresses and b) VPN clients.

Netgear's Armor utility does it by associating MAC addresses with users, as well - but it seems to be limited to Wifi only.

Circle (Disney branded, on Netgear's routers as well) also associates MAC address to clients.
 
Last edited:
Can’t rely on Microsoft screen time controls- easily skirted with local accounts, PlayStation clients, etc.
 
Playstation clients, granted. But local accounts are very hard to enable if implemented properly. :)
 
L&LD said:
Playstation clients, granted. But local accounts are very hard to enable if implemented properly. :)
Click to expand...

it’s less of a technical challenge than a functional one- This is a teenager who owns his gaming PC. He saved his money for several years, hand selected components, built the PC and is set up as a local administrator on the machine. What (I gather) you are talking about doing is making him a child account without any local administrative access on the machine. As soon as we do that, he will move to a different device to consume content after hours. Trying to choke this off at the device level rather than at the operating system level.
 
Then this needs to be done at the parenting level, I believe. :)

There is nothing 'tech' that will help here, save for commercial installation of network infrastructure equipment.
 
Once you extend your blocking requirements to include wired Ethernet connections things become much more complicated. Consequently your choices become more limited.

You'd be looking at business class products from the likes of Cisco, Netgear, etc. that can do port or MAC based ACL's. If you then say that you can't trust security based on MAC address (because of spoofing) you'd need to move to an enterprise type setup based on 802.1x and Radius servers.
 
It seems like a very simple request… Block everything unless it has been authorized. Netgear Armor/BitDefender already does this when new WiFi clients join the network - just need to add wired clients to the mix.
 
Simple requests are usually the hardest to implement correctly in consumer gear.
 
JohnB_123 said:
It seems like a very simple request… Block everything unless it has been authorized. Netgear Armor/BitDefender already does this when new WiFi clients join the network - just need to add wired clients to the mix.
Click to expand...
Yes it sounds simple, but as is often the case it isn't.

The thing with WiFi connections is that there's already in place a system for authenticating clients and allowing or denying access - WPA2. With Ethernet there's no such mechanism, you just plug in the cable and you are connected to the LAN. That's where port based ACL's or 802.1x come in. But these are typically not found in home router's.
 
ColinTaylor said:
Yes it sounds simple, but as is often the case it isn't.

The thing with WiFi connections is that there's already in place a system for authenticating clients and allowing or denying access - WPA2. With Ethernet there's no such mechanism, you just plug in the cable and you are connected to the LAN. That's where port based ACL's or 802.1x come in. But these are typically not found in home router's.
Click to expand...

Well, WPA2 passwords aren't discrete - they are 1:1 per SSID. Client access is managed for wifi clients via MAC address on most consumer routers. Why not simply extend this to wired clients....!
 
Because that is not how Ethernet works. :)
 
Didn't say that. ;)
 
L&LD said:
Didn't say that. ;)
Click to expand...

Oh... isn't this what is fundamentally being used to manage/restrict device-level access by most routers?

Talking about this interface... If Asus raised the device limit from 16 + added a default block option, I'd be set :

KWWmEoM.jpg
 
For a different option the Gryphon router has this functionality. You can block new devices by default and it watches for MAC address spoofing. However you lose a lot of the finer control over the router because it is security/parental control focused and they don’t give a lot of options to tweak. It’s also expensive.

Edit: it also blocks VPNs.
 
Last edited:
Paliv said:
For a different option the Gryphon router has this functionality. You can block new devices by default and it watches for MAC address spoofing. However you lose a lot of the finer control over the router because it is security/parental control focused and they don’t give a lot of options to tweak. It’s also expensive.

Edit: it also blocks VPNs.
Click to expand...

Thank you - great feedback.

Does Netgear Armor or Disney Circle provide similar functionality? I’m reading that Circle covers wired clients, as well. Just need to have a default “off until approved”....
 
If a teen is sufficiently motivated and capable, and it sounds like this one is both - you are fighting a losing battle. If he saved up enough money to buy a gaming PC, he may be able to save up the $50/month it costs to get an uncapped, unmetered cellular hotspot, and cut your router entirely out of the equation.

Unless you can get him to sign an IUP, you are fighting this war with the wrong weapon.
 
You must log in or register to reply here.

Similar threads

Z
Distinct wifi access per mac address/user ?
Replies
6
Views
531
Z100
Z
R
Looking for mid to high end router with specific access control/parental control features
Replies
7
Views
689
Wistuplu
W
S
Router Access Restriction List when configured as Media Bridge
Replies
2
Views
430
sluzza
S
DrFrankenscript
Strange failure to release manually-assigned IP address. Any ideas why? (AX-92U)
Replies
5
Views
951
Bandito
Bandito
drinkingbird
Tutorial How to force a new WAN IP Address (to fix sites not loading, high latency, incorrect location displayed, etc)
Replies
7
Views
2K
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
P Threat protection / DNS filtering / Router security (on home network) General Network Security 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 886 (members: 37, guests: 849)
Top