Block devices with no netbios name?

Can I some how detect and block devices that don't announce their netbios name?

Id like to filter devices like Iphones that use Private Address that hides the netbios name as it is impossible to detect via mac address.

If you've got the MAC address, they're already detected?


Change the wifi password?


problem here is the kids prey and wait for someone to put their phone down and use the qr code generator to attatch to the network I am forever changing the password.

1 Like

I'm meaning it is hard to tell who is who because of the random mac address feature of modern devices.
If I could block blank net bios names that will block anon wifi connections without forcing a white list.

Don’t use QR codes?

That is a function of andriod phones for sharing network details I cant stop that.

Once you are connected to a network you can go into the phone and display a QR code that you can share to allow others to join, my kids prey on that feature waiting for us to put our phones down to connect to an unfilterd network.

what about using RADIUS for Wifi authentication?
This gives everyone a personal password for Wifi.
As a drawback, it has the config overhead of Enterprise WPA + RADIUS.
I would be surprised, if Android would present a QR code for that as well.

Perhaps implement MAC address filtering on the unfiltered network then?

Using face ID or fingerprint should make this a lot harder ?

You can always implement some logic to disallow spoofed MACs, by detecting them

1 Like

OpenWrt cannot see NetBIOS names unless you set up Samba, but you can block devices with empty or specific DHCP hostnames:

uci -q delete firewall.mac_set
uci set firewall.mac_set="ipset"
uci set"mac_filter"
uci set firewall.mac_set.match="mac"
uci set firewall.mac_set.loadfile="/var/nftset-mac-dhcp"
uci -q delete firewall.mac_filter
uci set firewall.mac_filter="rule"
uci set"Filter-MAC-Forward"
uci set firewall.mac_filter.src="lan"
uci set firewall.mac_filter.dest="wan"
uci set firewall.mac_filter.proto="all"
uci set"any"
uci set firewall.mac_filter.ipset="mac_filter src"
uci set"REJECT"
uci commit firewall
/etc/init.d/firewall restart

cat << "EOF" > /etc/hotplug.d/dhcp/00-mac-filter
LOCAL="$(uci -q get system.@system[0].hostname)"
if [ "${ACTION}" = "add" ] \
&& [ "${HOSTNAME}" = "${LOCAL}" ]
then touch /var/nftset-mac-filter
sed -i -e "
" /var/nftset-mac-filter
fw4 reload-sets

1 Like

So, by setting the U/L bit in the client mac address, one advertises that its a locally administered mac address.

How nice :smile:

So this becomes a problem if there is an app or hack that clears that bit?

No idea, that's above my pay grade.

But i could imagine Apple not allowing this...

1 Like