MAC Filter Options

[TheLyppardMan]

My ISP-supplied router (FRITZ!Box 7530 AX) has limited options when compared with ASUS routers, but it does have an option to prevent unknown devices from connecting to the main Wi-Fi networks. That's the only option it has for MAC filtering, but I was thinking that this might be a useful option for ASUS routers to have, to save having to manually specify what would or would not be allowed to connect. So, the options could be "Reject All Unknown Devices", "Reject Specified Devices Listed Below" , Accept Only Specified Devices Listed Below". Would anyone find this amendment useful and if so, could it be added as a feature request for Merlin to consider?

 

[Ripshod]

Wireless MAC filtering is built into the asuswrt firmware (including Merlin). However, with Mac randomisation available on devices and the ease at which anyone can spoof a mac address, it's all pretty pointless.

 

[TheLyppardMan]

Wireless MAC filtering is built into the asuswrt firmware (including Merlin). However, with Mac randomisation available on devices and the ease at which anyone can spoof a mac address, it's all pretty pointless.

Hence the usefulness of the FRITZ!Box option to deny all unknown devices, while still allowing all known devices to continue as normal.

 

[Ripshod]

Hence the usefulness of the FRITZ!Box option to deny all unknown devices, while still allowing all known devices to continue as normal.

On the asus you add the known mac addresses to the "Accept" list. Unknown devices can't connect.
Same thing - a slightly different way.
But, like I said, if you're doing this for security it's pointless.

 

[Tech9]

Hence the usefulness of the FRITZ!Box option to deny all unknown devices

What "unknown" devices know your Wi-Fi SSID and Password and attempt to connect?

 

[TheLyppardMan]

What "unknown" devices know your Wi-Fi SSID and Password and attempt to connect?

My son is always buying new tech and I want to know what he's planning to join the network beforehand to try to evaluate potential risks, e.g., with some IoT devices, so that if necessary, they can be connected to one of the guest networks instead.

 

[TheLyppardMan]

On the asus you add the known mac addresses to the "Accept" list. Unknown devices can't connect.
Same thing - a slightly different way.
But, like I said, if you're doing this for security it's pointless.

Yes, I know that, but it's tedious to add all those devices, whereas the option to only block unknown devices could be done in an instant once everything that had connected had been identified. This is how it looks in the FRITZ!Box GUI:

 

[Tech9]

My son is always buying new tech

Ah, the IoT war with your son... I remember the dangerous Dyson air purifier! You need some diplomatic solution. What about your ISP router with Wi-Fi enabled for your son and your Asus router behind it? This way your son will have "own network" with no access to yours. Whatever he attaches to his network won't bother you anymore.

 

[Ripshod]

Or a guest network just for the son (which also has mac filters), as has been suggested in other threads started by the op.

 

[Tech9]

Or a Guest Network Pro!

 

[TheLyppardMan]

Or a Guest Network Pro!

I don't think that's available on Merlin at the moment, but I have set up a guest network for IoT devices, which despite my son's original aggresive response towards me, does in fact work perfectly well with his latest IoT device. I just don't want him sneaking any more unknown IoT stuff onto the main network. An option like the FRITZ!Box provided would be a simpleway to achieve that and would also rule out an spoofed MAC codes.

 

[Tech9]

my son's original aggresive response

Your son's aggressive response was a result of your own "scared of unknown" (IoT world) behavior. Your ongoing device restriction ideas pointed towards your son in particular will only fuel the issue you already have. You share the network peacefully or you don't. Time to make a final decision and end the issue once and for all. It is doable easily in different ways from separated networks on the same ISP account to completely separate ISP accounts. Folks around explained it to you multiple times already.

 

[TheLyppardMan]

Your son's aggressive response was a result of your own "scared of unknown" (IoT world) behavior. Your ongoing device restriction ideas pointed towards your son in particular will only fuel the issue you already have. You share the network peacefully or you don't. Time to make a final decision and end the issue once and for all. It is doable easily in different ways from separated networks on the same ISP account to completely separate ISP accounts. Folks around explained it to you multiple times already.

Have you ever read Matthew chapter 1 verse 7, "Do not judge, or you too will be judged"

 

[Tech9]

Have you ever read Matthew chapter 1 verse 7

No. I'm more science oriented person and prefer Newton's "For every action there is an equal and opposite reaction".

 

[bennor]

@TheLyppardMan,
As already indicated by others above, Asus router firmware (including Asus-Merlin firmware) already include a MAC Filtering option where one can set it to accept all MAC addresses on the list which is then supposed to reject any MAC address not on the list. But as already indicated by others; MAC address spoofing is, in many cases simple. If your son can snoop out a MAC address of a device you have allowed access to, your son can spoof that address on his own IoT device(s) and gain access.

[Wireless Router] How to set up Wireless MAC Filter on ASUS Router(WiFi Deny List)? | Official Support | ASUS USA

As to the family dynamic issues between you and your son that your posts have revealed and which you are trying to use MAC Filtering as a method of dealing with that family issue. The MAC Filtering is likely just a temporary fix which doesn't address the underlying issue. If the son is resourceful they can likely find ways around the MAC Filtering. It may be time to resolve those family dynamic issues or do what has been suggested above, find alternatives that allows your son the freedom to tinker with IoT devices that they are seeking.

 

[M75]

It is pointless to argue, the fact is more and more devices are having MAC randomization (e.g. android tablets, IPads) unless you choose to disable it. Otherwise blocking all 'unknown' MAC is redundant because it could be the same device using a different MAC and every randomized MAC will need to be added for access. Eventually you will hit the max MAC allowed to add and then what? Doing so it's like building a "wall" thinking that no enemy will attack (false sense of security). To me, MAC filtering is the worst prevention for network.

On family front, I'm no social counselor it's your call on how to deal with the 'trust' issues. Technically speaking, we are just pointing out MAC filtering is not security.

 

[TheLyppardMan]

Ah, the IoT war with your son... I remember the dangerous Dyson air purifier! You need some diplomatic solution. What about your ISP router with Wi-Fi enabled for your son and your Asus router behind it? This way your son will have "own network" with no access to yours. Whatever he attaches to his network won't bother you anymore.

How would I set that up if I wanted to try that idea?

 

[TheLyppardMan]

No. I'm more science oriented person and prefer Newton's "For every action there is an equal and opposite reaction".

Oh I like science as well, although I don't understand most of it. For instance, I find it awe-inspiring that mankind has gone from knowing nothing about the planet on which we live, (other than that God made it and the universe in 6 days) to developing the incredible technology we have now, such as being able to send space machines to other planets in our soloar system, to send back data for analysis here on earth. It's just a pity that some of mankind's incredible intelligence is used to create things to harm others and destroy whole areas with just the push of a button (Ukraine and the Middle East being prime current examples).

 

[Tech9]

How would I set that up if I wanted to try that idea?

Enable the ISP router's Wi-Fi and tell your son this is the SSID he can use for all the devices he owns. Connect your router (WAN port) to the ISP router (LAN port) and use its Wi-Fi and LAN ports for your devices. In default configuration your "son's network" will have no access to "your network". Your son will be on a different subnet and facing your router's firewall. This is called double NAT configuration for your router, but not a problem, many people use it for one reason or another. If you want to run any services to Internet on your router just use DMZ or Port Forwarding on the ISP router and usual DDNS on your Asus. Asus routers have external WAN IP detection for DDNS. Your network will have access to your son's network, but you can stop this for diplomatic reasons using Firewall rules on your Asus router. When you decide to tinker with your router again you'll have backup Wi-Fi from the ISP router as an added bonus. Your wife may want do use Internet during your downtime and she can do so.

I don't understand most of it

You have to accept the reality of IoT world. This type of devices are here to stay. Your Pro router has stock Asuswrt Pro firmware available with IoT Guest Network preset. You can use it for your own IoT devices eventually, but let your son do whatever he needs to do on his own network. Let go on filtering and monitoring.

 

[TheLyppardMan]

Enable the ISP router's Wi-Fi and tell your son this is the SSID he can use for all the devices he owns. Connect your router (WAN port) to the ISP router (LAN port) and use its Wi-Fi and LAN ports for your devices. In default configuration your "son's network" will have no access to "your network". Your son will be on a different subnet and facing your router's firewall. This is called double NAT configuration for your router, but not a problem, many people use it for one reason or another. If you want to run any services to Internet on your router just use DMZ or Port Forwarding on the ISP router and usual DDNS on your Asus. Asus routers have external WAN IP detection for DDNS. Your network will have access to your son's network, but you can stop this for diplomatic reasons using Firewall rules on your Asus router. When you decide to tinker with your router again you'll have backup Wi-Fi from the ISP router as an added bonus. Your wife may want do use Internet during your downtime and she can do so.



You have to accept the reality of IoT world. This type of devices are here to stay. Your Pro router has stock Asuswrt Pro firmware available with IoT Guest Network preset. You can use it for your own IoT devices eventually, but let your son do whatever he needs to do on his own network. Let go on filtering and monitoring.

Thanks for the instructions. DMZ doesn't appear to be available on the FRITZ!Box and the instructions for Port Forwarding aren't exactly detailed:

So what would be the settings I would need for the Port Forwarding feature on the FRITZ!Box. Also, would the WireGuard VPN server on my ASUS router still work with this arrangement and am I right in assuming that since my ISP provides me with a static IP address, I would need to use the DDNS feature on the ASUS router?