All About Wi-Fi Router MAC Filtering

You’ve been told to set a WPA key on your Wi-Fi router. You’ve even been told to use an SSID (Wi-Fi network name) that is unique. But I bet very few people have told you to set up MAC filtering. Huh? MAC filtering? What’s that? How do you set it up? Is it any good?

This may come as a surprise to you, but MAC filtering is actually the one thing you may need to fully solidify the state of your wireless network. There are a few reasons for this, and perhaps it would be an enlightening experience for you to learn once and for all why this little setting on your router is insurmountably powerful.

A little note: If you don’t know what a MAC address is, perhaps it would be helpful to first read through this.

OK, let’s first explain what MAC filtering is … Every device that connects to a router does so through a network adapter. Each network adapter has a unique identifier that sets it apart from others, allowing it to be found even if the IP address of the device must change.

macfilter-nic

Yes, you can change your MAC, but it doesn’t happen automatically when you reconnect to the web (if you have a static IP). MAC filtering is a rule set in wireless access points and routers that allows people to allow or disallow MAC addresses from connecting. Now, why should you use it? Here are a few reasons:

  • There’s no extra authentication. Once you add a MAC, the device behind the MAC will always be able to connect to the router. Alongside WPA, it’s very powerful.
  • You don’t need to do absurd things like disabling DHCP to filter inbound connections. Hackers can’t simply “guess” your MAC address like they could with a local network IP address (which is why disabling DHCP is a useless idea).
  • MAC addresses don’t change (unless you change them manually). The default addresses are hard-coded into the networking hardware.
  • If and when WPA or any other security method on your router will finally be easy to hack (and it will, at some point), you have a failsafe admitting only certain devices to your network. That by itself is a major plus!

Comparing MAC filtering to WPA authentication as security methods side-by-side is just like comparing apples to oranges. Each of them serves a role in your network’s infrastructure. You can’t really compare them like WEP and WPA (two of the most popular security measures in wireless networks that work similarly). While MAC filtering is doing its job, WPA authentication is adding another layer of cake on top of it. You can’t say that “one is better than the other.”

You can’t even ask whether one is more important than the other. Both carry equal weight, and both are exploitable if the router is using dodgy firmware.

The setup for MAC filtering depends entirely on the router you’re using. Typically, companies like to consolidate their configuration consoles in one particular way, but there are key differences between models that might make some options unavailable. I recommend looking up your router manual to find out whether the router supports MAC filtering, then learning how to use it. So that you don’t come out of this empty-handed, I will show you what the configuration looks like on one of my routers:

macfilter-tplink

In my case, you would go to “Wireless -> Wireless MAC Filtering”, then click on “Allow the stations specified by any enabled entries in the list to access.” Clicking “Add New …” will take you to a screen where you can add a new filtering rule involving a particular MAC address.

Once you find out your MAC address, there are many awesome things you can do with it to filter it in and protect yourself from exterior influences. And no, do not disable WPA protection on your router simply because you have employed this protection method. Both work together to bring you a more complete secure browsing experience!

There is a lot of information here to swallow, so if you find yourself a little stuck or confused, leave a comment below so we may discuss everything!

14 comments

      • I use Microsoft Windows 7. It would be nice to also know how to find a MAC address in Linux, just in case I ever decide to use it…
        Thanks.

        • For Linux, you would have to tell me which distribution you plan to use.

          As for Windows 7, you can go to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings (on the right side). Once you’re there, double-click on the network adapter you use to connect to the internet and click the “Details” button.

          Hope this helps! Your MAC address will be listed as the “Physical Address”.

          An extra note: If you plan to type your MAC address anywhere on your router configuration page, you should remove the dashes from the address. You only need the numbers and letters that appear.

        • If you are using any Linux distro with KDE desktop, run KinfoCenter. Under Network Information/Network Interfaces, in the right panel you will see the MAC address of your card in the HWAddr column.

        • On windows based machines, if you go to Run->CMD and in the CMD window, type “ipconfig /all”

          You’ll get back a buttload of information, one will be the wireless MAC address. Watch out for one called “virtual wireless”, that most likely isn’t the right one.

          You’ll also see the MAC addresses for wired, tunnel,etc interfaces if present on your machine. I have to have users do this to so I can add their MAC to the local database in our Aurba wireless controller to allow them to access our protected SSID’s.

          The biggest issue is having them provide the correct MAC address.

  1. Thanks for the information! If I wanted to find out the MAC address of my Wi-Fi printer I guess I would have to get instructions from the manufacturer, right?

    I might try Ubuntu.

    • on printers, if you did a print out of the configuration page it should list the current configuration for network, and one of the results is hardware address/machine address or something like that.

      If you have access to the Wifi router (which you should) and you know the IP address of the printer (since you can print to it), in the DHCP area of the router, you’ll see a table of DHCP IP to MAC bindings, you’ll see the MAC there as well.

      • It gives it in the interface list, this way is more clear as you got iterfaces and active routes with masks and gateways. Of course you can use getmac or ipconfig /all

  2. MAC filtering is just little better than disabling DHCP.
    Because if the encryption is broken, the attacker has access to each packet containing your MAC address. Almost all of today’s laptops have the ability to change the MAC address, so an attacker easily change the address of his laptop and there remains only the question of how and when to carry out an MID attack.
    The only real protection is as stronger encryption as possible and regular change of key.

  3. Hackers don’t have to guess your MAC address. Your MAC address is broadcast in the clear any time your own devices are in range. It’s pretty trivial for an attacker to sniff out the MAC address of a valid device and then change their own device to match. MAC address filtering really doesn’t add much in the way of security.

  4. I need help guys. I want to propose a android app that will notify me if someone tries to connect to my wifi hotspot and lets me choose whether to block or allow them to connect. But i have no idea how to do it… Can someone give me advice.. Any advice, recommendation or help will be greatly appreciated..

Comments are closed.

Sponsored Stories