What's new

Blocking Wired devices?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Monty Banton

New Around Here
Hi is there a way to block wired LAN devices because I don't want any unknown devices being plugged into my LAN and accessing the internet. There is a wireless MAC filter but I want it to function with Wired devices. (Wired MAC filter with whitelist and blacklist).

I want to prevent any possible wireless/wired MAC/IP spoofing on the network.

Currently on
Asuswrt-Merlin 378.56_2 RT-AC68U
 
Last edited:
Too low tech. One can easily put in their own switch on any existing run. ;)
 
Too low tech. One can easily put in their own switch on any existing run. ;)

You man cut a cable that runs between equipment, reterm & add a switch? Yeah, I suppose that is possible. Assuming the perp has tools and knowledge.

How about turn off dhcp and assign IP by mac address?
 
You man cut a cable that runs between equipment, reterm & add a switch? Yeah, I suppose that is possible. Assuming the perp has tools and knowledge.

How about turn off dhcp and assign IP by mac address?

Why do you need to cut a cable? Simply put in a switch and connect away.

:rolleyes:
 
How about a low tech solution? Physically secure the hardware in a locked closet or cabinet.
I don't want to use a physical method like locking something away... It would degrade wireless signal... I just want to protect from users connecting an ethernet cable into my router and access the internet.

I could block them through parental controls but then they could spoof their mac address and make parental controls essentially useless...
 
If you need that kind of control, then you should consider a business type of products instead of a home gateway. Home gateways aren't designed to be THAT tightly controlled.

Even a whitelist won't be of any help to you, as anyone could simply look at the MAC address of a plugged PC, and spoof that same MAC to gain access.
 
I could block them through parental controls but then they could spoof their mac address and make parental controls essentially useless...
If they are smart enough to spoof a MAC address, and you cannot provide physical isolation, you might consider standing guard over the switches with a shotgun.......... how could any hardware identify a client except by MAC?
 
If they are smart enough to spoof a MAC address, and you cannot provide physical isolation, you might consider standing guard over the switches with a shotgun.......... how could any hardware identify a client except by MAC?

The only "real" solution would be authentication. Not something you'll achieve with a home gateway.
 
If you need that kind of control, then you should consider a business type of products instead of a home gateway. Home gateways aren't designed to be THAT tightly controlled.

Even a whitelist won't be of any help to you, as anyone could simply look at the MAC address of a plugged PC, and spoof that same MAC to gain access.

What is the feature called found in the business type product that would fulfil my needs? I'd like to know what it is called so I can look at the specs of them before I'd consider purchasing it. Any idea how it would work differently to gateway routers to prevent MAC/IP spoofing?

However, the only plugged PC is my one and they wouldn't be able to look at my MAC address if that is any help.
 
The only "real" solution would be authentication. Not something you'll achieve with a home gateway.

Am I right in that it is possible to be implemented in a home gateway, but that it is not just because it is marketed for the consumer? (It can be done on custom firmware such as DD-WRT/Tomato/Merlin)?
 
What is the feature called found in the business type product that would fulfil my needs?
This feature is called Network Access Control (NAC) but there may be a simpler option:
1. Go to LAN - DHCP
1.1. Manually assign IPs for the MAC addresses you want to allow on your LAN (eg. assign IP from 192.168.1.100)
1.2. In IP Pool Start address, put an IP outside the range of the above assignments (eg. 192.168.1.200)
1.3. In IP Pool End address, put the next IP (eg. 192.168.1.201)
2. Under Firewall - Network Service filter, add one or multiple rules to block access to the 2 DHCP IPs for all destinations and TCP/UDP ports, every day from 00:00 to 23:59
 
802.1x Port-Based Authentication is what you're after. I'm not sure if FreeRadius2 can also do this via Entware, it's something I'm also looking at investigating.
 
What kind of users are you dealing with ? How many average people know anything about spoofing MAC addresses, connecting a switch, etc ?
 
With physical access, NO device is immune to hacking.

For example, Factory reset can be done via pushbuttons. Or they can just take the cable that connects to your modem and plug in directly, Etc.

Sent from my SM-N910V using Tapatalk
 
With physical access, NO device is immune to hacking.

For example, Factory reset can be done via pushbuttons. Or they can just take the cable that connects to your modem and plug in directly, Etc.

Sent from my SM-N910V using Tapatalk

My intention is to stop them from bypassing the parental controls/bandwidth limiter by spoofing their mac/ip.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top