Block devices with no netbios name?

professor_jonny · April 20, 2023, 7:52pm

Can I some how detect and block devices that don't announce their netbios name?

Id like to filter devices like Iphones that use Private Address that hides the netbios name as it is impossible to detect via mac address.

frollic · April 20, 2023, 8:11pm

If you've got the MAC address, they're already detected?

eduperez · April 20, 2023, 8:37pm

Change the wifi password?

professor_jonny · April 20, 2023, 9:03pm

problem here is the kids prey and wait for someone to put their phone down and use the qr code generator to attatch to the network I am forever changing the password.

professor_jonny · April 20, 2023, 9:06pm

I'm meaning it is hard to tell who is who because of the random mac address feature of modern devices.
If I could block blank net bios names that will block anon wifi connections without forcing a white list.

jdwl1o1 · April 20, 2023, 9:30pm

Don’t use QR codes?

professor_jonny · April 20, 2023, 9:47pm

That is a function of andriod phones for sharing network details I cant stop that.

Once you are connected to a network you can go into the phone and display a QR code that you can share to allow others to join, my kids prey on that feature waiting for us to put our phones down to connect to an unfilterd network.

Pico · April 20, 2023, 9:53pm

what about using RADIUS for Wifi authentication?
This gives everyone a personal password for Wifi.
As a drawback, it has the config overhead of Enterprise WPA + RADIUS.
I would be surprised, if Android would present a QR code for that as well.

jdwl1o1 · April 21, 2023, 12:06am

Perhaps implement MAC address filtering on the unfiltered network then?

frollic · April 21, 2023, 12:11am

Using face ID or fingerprint should make this a lot harder ?

You can always implement some logic to disallow spoofed MACs, by detecting them https://www.mist.com/get-to-know-mac-address-randomization-in-2020/

vgaetera · April 22, 2023, 9:51pm

OpenWrt cannot see NetBIOS names unless you set up Samba, but you can block devices with empty or specific DHCP hostnames:

uci -q delete firewall.mac_set
uci set firewall.mac_set="ipset"
uci set firewall.mac_set.name="mac_filter"
uci set firewall.mac_set.match="mac"
uci set firewall.mac_set.loadfile="/var/nftset-mac-dhcp"
uci -q delete firewall.mac_filter
uci set firewall.mac_filter="rule"
uci set firewall.mac_filter.name="Filter-MAC-Forward"
uci set firewall.mac_filter.src="lan"
uci set firewall.mac_filter.dest="wan"
uci set firewall.mac_filter.proto="all"
uci set firewall.mac_filter.family="any"
uci set firewall.mac_filter.ipset="mac_filter src"
uci set firewall.mac_filter.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

cat << "EOF" > /etc/hotplug.d/dhcp/00-mac-filter
LOCAL="$(uci -q get system.@system[0].hostname)"
if [ "${ACTION}" = "add" ] \
&& [ "${HOSTNAME}" = "${LOCAL}" ]
then touch /var/nftset-mac-filter
sed -i -e "
/^${MACADDR}$/d
0i ${MACADDR}
" /var/nftset-mac-filter
fw4 reload-sets
fi
EOF

https://openwrt.org/docs/guide-user/base-system/hotplug

bigsmile · April 23, 2023, 7:48am

So, by setting the U/L bit in the client mac address, one advertises that its a locally administered mac address.

How nice

So this becomes a problem if there is an app or hack that clears that bit?

frollic · April 23, 2023, 7:52am

No idea, that's above my pay grade.

But i could imagine Apple not allowing this...