How to hide mac addresses to main switch?

niculin · July 22, 2021, 11:33am

Hi,
For an unknown reason, the sysadmin of my university limit the number of MAC addresses to 3 macs for the LAN port located in our office (we are 5 ).
Actually we use the wireless connection where my openwrt is configured as an access point in order to share the connection.
We'd prefer to use the LAN port 'cause is a 1 gigabit port, instead the wireless connection is limited to 20megabit.
Is there any possibility to using some feature to encapsulate traffic and finally use the LAN port?

vgaetera · July 22, 2021, 11:36am

niculin · July 22, 2021, 12:31pm

I've already read the documentation, and searched for some documentation in the forum, what I didn't understand is how to hide the mac addresses that connected to the router, to the main switch.
It seems that every device connected to the subnet can be detected by the sysadmin

vgaetera · July 22, 2021, 12:46pm

Reconfigure OpenWrt to a router with masquerading enabled on the WAN interface.
Then connect upstream switch to the WAN port and connect clients to the LAN ports.

psherman · July 22, 2021, 2:13pm

A simple reset to defaults of openwrt will achieve the goal of configuring the device as a router with NAT masquerading enabled. It is the default operating state of openwrt.

flygarn12 · July 22, 2021, 5:15pm

How have they searced for the mac:s?

The best way to look at what they see is to mount a extra standard setup router between ISP and your operational router. And let the DHCP server play ISP and then log in to the extra router and look at the leases table.

But if they look at the actual data packages with for example wireguard then it will be easier to count devices in your network.

niculin · July 23, 2021, 9:58am

Thank you for the answers, I gave a try to a fresh install of openwrt.
@flygarn12 Good question, but I've no idea, the only information that I retrieved is that there is a script that scan the network looking for access point mac address counting the devices connected to them.

flygarn12 · July 23, 2021, 11:26am

“Script” can be anything.

Then there is this thing of “university’s”. Is the university in question is some kind of teacher or doctor university then they probably have no real thing what they do on the network. Do we talk about a technical university made for network engineers etc then they probably do this network protection script system just for fun.

If they count IP addresses and you use the firewall correct then dnsmasq will only show one IP address to ISP/internet.

Maybe a OpenWRT settings reset will solve this, probably not.

If their script mean deep package analyze then dnsmasq is worthless because the actual data packages from your devices are mac tagged. Dnsmasq is more of a IPv4 “to little IP addresses solver”, it isn’t a information security tool.
They simply do a legal man-in-the-middle surveillance on the network.
To solve this you need to get a deal with the ISP on the number of devices you can use or use a VPN tunnel to some external server and simply run the data past the ISP without them knowing what actual data is transmitted.
But they are obviously good at their work so they will look at VPN tunnels also.