Block unknown devices on Deco M9 - user changes MAC address to fool parental controls
Hi all,
I've been using the Deco M9 Plus for a couple of days now and I'm very pleased with it. The wi-fi is excellent in whole our house. And especially the parental controls are very valuable too to control the extensive use of internet of some of the users.
I have a question however. Is there an option to (automatically) block unknown devices on the network? I'm familiar with the blacklist option but I wouild like to see a whitelist for devices as well. The problem is that one user in our home is smartass enough to change the MAC address of his computer each time the parental control blocks his internet. Ofcourse the Deco notifies me that a new device is noticed on the network and than I can manually block the device but is there anyway it can be done automatically?
The Deco acts like a router and is directly connected to my ISP modem.
Is there any other option to block unknown MAC addresses from the internet should there be no possibility to achieve this with the Deco?
Thanks for your replies.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@mna Welcome to the community.
Lawrence-C is right and Connection Alerts+Blacklist could achieve the same as "block new devices".
The initial concern about not having Whitelist is that users might fail to add the correct MAC address to the list also due to the random MAC address.
Since renaming the SSID or removing/reconnecting to the SSID would change the MAC address to a different one, and once the MAC address was changed, it is hard to get the host smartphone back to the previous MAC address and connect back to Deco, then you might need to keep adding a new MAC address to the Whitelist. So adding Whitelist is not the ideal way to improve this issue.
The community is open to all feature requests and I am quite upset when I heard "TP-Link just don't care about the issue". I am sure we do care and try our best to provide what users wanted from us. But the issue is we need to find a more suitable solution that could fix this issue and do not bring up further chaos.
Compared with Whitelist, "block new devices" or "adding new devices to a profile and you could set up priority for it" sounds a good idea and I will note it down and forwarded it to the senior engineers later.
Thank you very much.
- Copy Link
- Report Inappropriate Content
for what it's worth "it is hard to get the host smartphone back to the previous MAC address" is not true
When the privacy Mac feature is disabled on PCs, Macs, Android or iOS devices in the WiFi configuration pane the device always defaults to the hardware MAC. This is not as difficult to configure as you framed but clearly it should be enabled with care.
I agree however clearlist and blocklist is not ideal, as you suggested the most flexible configuration would be to allow a profile to be designated default for new MACs ( and that profile could be configured with parental controls like any other ).
- Copy Link
- Report Inappropriate Content
@TP-Link In reply to your post:
1) You don't have to use the Whitelist - but it would be very good if it there if you need it.
2) Having to be available 24/7 to block a new device that appears is a major inconvenience. What happens if you are being notified of a new device at 2am ? It's not a solution.
The reason people think you don't really care is that this issue with mac spoofing was rasied in this thread in July 2019, and there has not been any attempt to fix it as far as I can see.
Adding the feature 'Block New devices', or at least blocking new devices until approved would fix this issue in a second.
- Copy Link
- Report Inappropriate Content
Found a solution for the parents out there.
I was messing with OpenDNS, but got tired of the main network IP changing anytime the network was rebooted.
So, do this, have the kids on a seperate,hardwired router connected one of the Decos, completely seperate Wifi. I personally have a 5+ year old Netgear connected. Then just have a parental control on that router from the Deco. They can change the MAC 1000x times, it won't matter as the controls are on that router and all the traffic that comes from it.
- Copy Link
- Report Inappropriate Content
Good idea, but not really a fix for us as there are shared devices like printers and scaners etc that need to be available for everyone. Also my kid's bedrooms are far apart and would require two routers, and I'd end up with umpteen different networks throughout the house. (I don't live in a mansion BTW - it's the walls and layount)
Thanks for the thought though...
- Copy Link
- Report Inappropriate Content
TP-Link wrote
The initial concern about not having Whitelist is that users might fail to add the correct MAC address to the list also due to the random MAC address.
@TP-Link you've got a database of known, real MAC address prefixes & could use that -- if you see a MAC prefix like "9C:F3:87", that's Apple and probably real. But "46:13:24"? That's not a valid vendor prefix, so it's clearly a randomized MAC.
Only about 0.27% of the available prefix space (00:00:00 - FF:FF:FF) has been assigned to hardware vendors (per https://maclookup.app/), so I imagine it would be very rare for a device to randomly spoof a legitimate prefix, and Deco could even offer a "Block randomized hardware address" feature and use "captive portal" techniques to let anyone who connected with a bogus MAC address see a nice web page explaining that they need to disable MAC spoofing. Not even bother the network owner if the MAC is bogus.
Of course the captive portal helping the end user would take more work, but certainly it seems that new device notifications could detect randomized MAC addresses with about 99.73% accuracy...
- Copy Link
- Report Inappropriate Content
BTW obviously this MAC filtering is all sub-optimal anyway, and doesn't prevent a kid from learning dad's MAC and spoofing that when he's out of the house.
To really secure things Deco ought to offer EAP authentication in addition to PSK (https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SecurityAuthenticationTypes.html#wp1035193), and allow us to specify that some Parental Control profiles would require EAP-authenticated connections. Let us make some locked down profiles for WiFi-enabled gfear like light switches and refrigerators that can't do EAP, but require EAP for things like the "Parents" profile.
But being able to block all access by new MAC addresses until approved would be SO much better than we have now -- while Wally could still use a $50 Raspberry Pi to spoof Mr. Cleaver's MAC when he goes to the office, at least that would be a much better scenario than we have now, with iOS happily sharing our private network PSK with contacts (https://support.apple.com/en-us/HT209368) and spoofing hardware addresses by default (https://support.apple.com/en-us/HT211227).
- Copy Link
- Report Inappropriate Content
@layer4dad2 as someone who has worked with 802.1x and EAP for more than a decade, I think I'm on firm ground classifying this as enterprise only tech.
There is nothing consistent about EAP support on consumer devices ( it requires constant IT support in an uncontrolled BYOD environment, so I can't imagine typical consumers operating it ).
MAC evasion is enabled by default on a cast of consumer devices and is easily enabled on others. MAC cloning is not even possible on many consumer devices, and requires advanced techniques on most others. This problem needs to be solved on a consumer product while protecting from a skilled network attacker is outside scope.
- Copy Link
- Report Inappropriate Content
mfisch wrote
@layer4dad2 as someone who has worked with 802.1x and EAP for more than a decade, I think I'm on firm ground classifying this as enterprise only tech.
@mfisch
And as someone who sees them evoking their job, when they are clearly wrong; makes me wonder how good they actually are at their job.
My consumer level Netgear AC1750 had this function.
This consumer level Wifi Mesh has this function
https://www.amazon.com/NETGEAR-Nighthawk-Advanced-System-Security/dp/B08V3PMGBR/
I could go on....
So, yep - your 10+ years of experience is shining.....
- Copy Link
- Report Inappropriate Content
Firstly, the concept of having a default profile, one with restricted parental controls that all devices/MAC addresses are assigned when first connecting has been raised a number of times over the last two years, so don't pretend that the user base isn't giving feedback.
Secondly, TP-Link is supposed to be a top-tier network hardware vendor, presumably with a competent team of user experience and hardware/software engineering staff. The problem has been expressed in detail for two years or more. Surely TP-Link can either come up with the solution themselves, or at least implement the kind of features people have been begging for.
This is why users are saying "TP-Link doesn't care" - because after two years of trying NOTHING HAS BEEN DONE.
If TP-Link cares, then get it done.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 36
Views: 38446
Replies: 133