What's new

Locking out private wifi devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pgershon

Regular Contributor
Is there a way to set an Asus router not to permit a DHCP assignment for a device that is masking its MAC ID? Apple iPhones and iWatches provide spoof MAC ids unless they the "Private WiFi address" setting is off. When off, they use their real MAC id. I would like to block out all "private" MAC id's so that I have a better idea of which devices are on my network. Getting all the users in my household to keep the setting off is problematic because Apple lists the network with a "privacy warning" when the setting is off.
 
Are the "private" MAC addresses identifiable in some way? e.g. do the have a certain bit pattern. If they are and you're using a custom firmware like Asuswrt-Merlin you might be able to modify dnsmasq.
 
Is there a way to set an Asus router not to permit a DHCP assignment for a device that is masking its MAC ID? Apple iPhones and iWatches provide spoof MAC ids unless they the "Private WiFi address" setting is off. When off, they use their real MAC id. I would like to block out all "private" MAC id's so that I have a better idea of which devices are on my network. Getting all the users in my household to keep the setting off is problematic because Apple lists the network with a "privacy warning" when the setting is off.
Yeh Android are doing this now as well, so annoying. The only way round it I can think of is using mac filter to filter allowed devices only.
 
Just set a static IP for each device in their WiFi profile. Then anything pulling DHCP should be identifiable. With the static you can associate names to the IP for easy ID when looking at logs.
 
Is there a way to set an Asus router not to permit a DHCP assignment for a device that is masking its MAC ID?
I would like to block out all "private" MAC id's so that I have a better idea of which devices are on my network.
Are the "private" MAC addresses identifiable in some way? e.g. do the have a certain bit pattern. If they are and you're using a custom firmware like Asuswrt-Merlin you might be able to modify dnsmasq.

@pgershon and @ColinTaylor, I've just noticed this particular post (#26) by @unsynaps which may interest you guys (and hopefully others):

 
Last edited:
What is it you are really trying to accomplish?
The only benefit would be for some sort of logging / tracking.

If they know your SSID and password, they must be "trusted" to some extent already.
If you block the DHCP request, there is nothing preventing them from keeping the random MAC and switching to a static IP.

Knowing your real goal may help shape the answers :)
 
Apple iPhones and iWatches provide spoof MAC ids unless they the "Private WiFi address" setting is off. When off, they use their real MAC id.

But once associated to an AP, the MAC addresses do not change for that association.

MAC randomization is a security/privacy feature, and should remain enabled if you value your privacy.
 
I would like to block out all "private" MAC id's so that I have a better idea of which devices are on my network.

If you have WPA2 enabled, and don't share passwords outside of your trusted household members, then you know who is on your WiFi.

MAC filters don't work, as MAC's can be spoofed, and someone with the right skillset already knows how to listen in for the "trusted" MAC addresses.
 
What is it you are really trying to accomplish?
The only benefit would be for some sort of logging / tracking.

If they know your SSID and password, they must be "trusted" to some extent already.
If you block the DHCP request, there is nothing preventing them from keeping the random MAC and switching to a static IP.

Knowing your real goal may help shape the answers :)
Logging / tracking is a fair description. We have several SSID's on our property. The indoor area, for the most part, is covered by an Asus mesh network. But one room in the basement has its own SSID, and the outside area has its own tp-link mesh, and the remote pool house has its own SSID. Apple privacy assigns a different MAC for each device in each SSID. Which multiplies the number of assigned assigned IPs (one for each MAC). I want to limit the number of IPs assigned per device regardless of which SSID they are on within my network.

PS: I have tried unsuccessfully to make it all one SSID, but I have issues with fixed devices (light switches etc) which require getting into 5 gHz or 2.4 gHz networks, and the phones and laptops dont always disconnect from the SSID they left going inside to outside or to basement rooms. If i did it all again, I'd probably get all the same company's equipment (like the TP=Link Omeda I use outdoors), but that would be a big hardware cost as I had the ASUS indoor network first.
 
You should be able to configure all of them with the same SSID regardless of brand. They just won't alal be controlled form the same interface.
 
MAC randomization is a security/privacy feature, and should remain enabled if you value your privacy
Do people also wear a random mask when they go out shopping, "for their privacy"? Do their car's licence plate randomly change every time they go on the freeway?

There comes a point where it causes more harm than good. Randomizing the MAC is one of these.
 
Do people also wear a random mask when they go out shopping, "for their privacy"? Do their car's licence plate randomly change every time they go on the freeway?
On iOS, MAC Randomnizing is not using a new MAC address everytime you connect to the same Wi-Fi.
It generates a new MAC everytime a device connects to a new wireless network, and will keep using that MAC address with that network unless user choose to forget the network.
 
Do people also wear a random mask when they go out shopping, "for their privacy"? Do their car's licence plate randomly change every time they go on the freeway?

There comes a point where it causes more harm than good. Randomizing the MAC is one of these.

That comment doesn't hold any water - there's no privacy in wearing a face mask in public, and there's explicit permission given with one's registration plate on the car...

MAC ID's for BT and WiFI are tracked in many public venues, and with MAC randomization, there's less linkage between where the phone/tablet is, and the person that is holding it. If I'm in the airport, it's nobody's business to know who/where I am, same goes with going to the Mall, where "Forever 21" doesn't have any business pinging a static bluetooth or wifi device that it not attached to it.

Because privacy matters...

As I mentioned earlier - OP was concerned about "knowing" devices on his network - once an iOS device attaches to a secured network (WPA personal or enterprise), it's MAC address does not change.

MAC filtering, this is well known not to be an effective deterrent to limit access, so it doesn't solve the problem - having a secure password/passphrase, or using WPA-Enterprise and implementing RADIUS, this does secure the wireless network.
 
Last edited:
Do people also wear a random mask when they go out shopping, "for their privacy"? Do their car's licence plate randomly change every time they go on the freeway?

There comes a point where it causes more harm than good. Randomizing the MAC is one of these.
Yes, the mall uses the hardware address of the customer's device to count traffic, which brand they stop at, and which item they might be interested in.

This is different from the license plate or your face in CCTV, which are protected by law and cannot be freely used by malls to sell products to you.

There are currently no privacy laws out there restricting this type of data collection, which would obviously violate privacy.

 
That comment doesn't hold any water - there's no privacy in wearing a face mask in public, and there's explicit permission given with one's registration plate on the car...
With modern facial recognition technologies and security cameras being present everywhere, it sounds like just the same thing to me. A store can tell how often you visit, which products you look at, and what you are buying or considering buying. And unlike a phone's MAC address, they can link you to a name, as you are going to swipe a credit card to buy what you buy. Yet I don't see people wearing a face mask whenever entering a store to avoid being filmed and tagged through facial recognition.

People should spend more time worrying about things like the fidelity plan card they carry around so they can get a free coffee after every 10 donuts IMHO if they truly worry about their "privacy".
 
With modern facial recognition technologies and security cameras being present everywhere, it sounds like just the same thing to me. A store can tell how often you visit, which products you look at, and what you are buying or considering buying. And unlike a phone's MAC address, they can link you to a name, as you are going to swipe a credit card to buy what you buy. Yet I don't see people wearing a face mask whenever entering a store to avoid being filmed and tagged through facial recognition.

People should spend more time worrying about things like the fidelity plan card they carry around so they can get a free coffee after every 10 donuts IMHO if they truly worry about their "privacy".
Yes, they're all collecting information about you, but the difference is there's an opt-out there, you can pay cash, and no one's going to stop you from doing that.

And your face, there are laws protecting what they can and cannot do with your face.

For hardware addresses (not just MAC addresses), there is no option to mitigate this privacy data collection before this.

Also, when you swipe your credit card, you don't actually have to do any hiding anymore, it's like you're already logged into a website and you don't need to use a VPN to hide because the website already knows it's you anyway.

Random hardware addresses are designed to provide you with privacy before you become their customer.
 
That comment doesn't hold any water - there's no privacy in wearing a face mask in public, and there's explicit permission given with one's registration plate on the car...

MAC ID's for BT and WiFI are tracked in many public venues, and with MAC randomization, there's less linkage between where the phone/tablet is, and the person that is holding it. If I'm in the airport, it's nobody's business to know who/where I am, same goes with going to the Mall, where "Forever 21" doesn't have any business pinging a static bluetooth or wifi device that it not attached to it.

Because privacy matters...

As I mentioned earlier - OP was concerned about "knowing" devices on his network - once an iOS device attaches to a secured network (WPA personal or enterprise), it's MAC address does not change.

MAC filtering, this is well known not to be an effective deterrent to limit access, so it doesn't solve the problem - having a secure password/passphrase, or using WPA-Enterprise and implementing RADIUS, this does secure the wireless network.

With both IOS and Android using randomized MAC by default, probably just going to be a pain to try and block it. Disabling it in the phone isn't a great idea either as you say. I think Windows 11 also uses it but not positive on that.

However Bluetooth does not use randomized MAC as far as I know, so unless you leave BT disabled they can track you that way, and that is the most common/cheapest sensor in the stores that are doing that, especially now that they know the WIFI MAC is useless. They can even track your cellular signal which also does not randomize, though this is more expensive to do and less common. So having randomized WIFI MAC really isn't solving anything. Heck walk into an amazon store and the app on your phone along with their sensors and cameras tells them exactly where you go, what you pick up and put back, how long you looked at it, etc.

Along the highways here in MA they have signs telling you how many minutes to common intersections. Those look for any MAC address, even cellular, and count how long until it sees that MAC at the next sensor point. Of course with those, randomized MAC works fine as it only needs to know it for a little while.

Rip a fart these days and you'll see a banner ad for Gas-X on Facebook. Virtually impossible to avoid these privacy intrusions, every time something is done to help protect privacy they find another way to track you.
 
Apple privacy assigns a different MAC for each device in each SSID. Which multiplies the number of assigned assigned IPs (one for each MAC). I want to limit the number of IPs assigned per device regardless of which SSID they are on within my network.

If you absolutely need to - use Apple Configurator (it's in the Mac app store) to create profiles - you can do quite a bit (of damage), including disabling the MAC address randomization.

(Configurator, FWIW, it also the only way to configure Apple TV for Enterprise networks)

 
However Bluetooth does not use randomized MAC as far as I know, so unless you leave BT disabled they can track you that way, and that is the most common/cheapest sensor in the stores that are doing that, especially now that they know the WIFI MAC is useless.

For BLE, randomization does apply - which is the typical use case for BT tracking in commercial settings...

 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top