How can I disallow connections using randomized MAC addresses

Subject basically says it all. I want to disallow connection using randomized mac addresses. Is such possible?

You can do that as soon as you can distinguish between "nonrandom" and "random" MACs.

If done right these are indistinguishable at a fundamental mathematical level... So NO.


You mean like a new iphone?
Unfortunately the mac address is the only means of identifying a device.

Iphone OS does follow standards to set the "locally administered" bit on its random MAC addresses. Turning off "private address" will use the factory MAC which has the bit clear.

Of course no one has to do this if they have full control of the MAC address.

@dlakelan Clearly you think that "randomization" entitles one to supply an entirely random MAC address.

Might I suggest that you familiarize yourself with the IEEE and IETF RFC 7042's definition of "local" address and the role of the "local bit" (0x02 of the first octet)?

Bottom line: Distinguising "random" from "nonrandom" is a solved problem. Further, it is trivial, amounting to checking a single bit.

Sure if the goal is to distinguish "cooperating devices that have set this bit" then no problem.

If the goal is to distinguish say Kali linux penetration testers then no way.

I am not looking for security. Rather I am looking to have devices associate using stable MAC addresses to which I can assign static leases.

As a digression... My LineageOS 18.1 Android phone has a toggle labeled "Wi-Fi-enhanced MAC randomization". The explanatory text reads:
When this mode is enabled, this device's MAC address may change each time it connects to a network that has MAC randomization enabled."

That suggests to me that it is possible to configure a network such that MAC randomization is not enabled. Is that correct? Can I do that with OpenWrt?

you can probably tell the phone which network names it should use randomization on, I think that's what the text means.

1 Like

@dlakelan I had not thought of that interpretation. I think that you are correct. Goggling for my interpretation generated no results.

Given that, via a single bit test, I can identify the packets I want to reject, is there anyway to write a firewall rule to enforce such a policy?

Sure, I always refer to the man pages for this kind of thing:

when I look there the -m mac --mac-source doesn't seem to have a mask, which is too bad, because something like

--mac-source 02:00:00:00:00:00/02:00:00:00:00 would be the ideal way.

I think that you probably CAN do this in nftables... but not sure.

you might try that syntax to see if masks are unsupported but undocumented it's the kind of thing you might expect to work

You can isolate the client with a separate SSID:

You can block all MAC addresses from connecting, then enable just those in your list.