How to identify device without mac address for Firewall and DHCP rules?

RSHARM · January 10, 2026, 5:59pm

How to identify device without mac address for Firewall and DHCP rules ?

I want to use random MAC Address for privacy but still be able to identifiy devices on router for firewall rules and DHCP rules.

WPA-2/3-Enterprise and RADIUS help ?

psherman · January 10, 2026, 6:04pm

The question is vague. What are you trying to achieve?

efahl · January 10, 2026, 6:24pm

Are you talking about an unmanaged switch? You can't do anything with those in the firewall or DHCP as they act like ghosts on the network that merely shuffle packets without ever identifying themselves explicitly. (Most of those support STP, so will reveal their MAC via loop detection messages, but those packets aren't routable and routers generally just ignore them.)

RSHARM · January 11, 2026, 6:03am

(post deleted by author)

psherman · January 11, 2026, 6:05am

Is this network under your control? Do you have users on your network that are untrusted?

Doesn't that negate the point of obfuscating the MACs?

psherman · January 11, 2026, 7:34am

Although there hasn't been a response yet, if the answers are:

yes, you have control of the network
and no, you don't have untrusted* users on the network

*untrusted, in this context, would be those who are potentially truly adversarial on your network, not your typical guest or iot devices.

There is literally no point in trying to hide your MAC addresses on your home network. Why? Simple -- MAC addresses are an L2 construct (switching). By the time you reach L3 (routing) in order to use IP addresses and thus connect to the internet, the MAC addresses are not visible. That is to say that your router can see the MAC addresses of the devices to which it is connected, but the next hop up (towards the internet) doesn't have any access to the MAC addresses of those same devices.

Meanwhile, I have a guest network to protect my trusted network from my guests and their systems (which might be compromised even if they're not aware of it), but they wouldn't be guests in my home if I thought they were the type of people who would be actively attacking my network. But, for what it's worth, as a consequence of them being on the guest network, they actually do not have the ability to probe for MAC addresses of my other networks away.

RSHARM · January 12, 2026, 4:47pm

@psherman it's just my paranoia that I don't want MAC addresse to be visible to neighbors.
Yes I control the network

psherman · January 12, 2026, 6:16pm

Unless the neighbors are on your network, there is very little, if anything that they can do with a MAC address.

Yes, it is possible to sniff the MAC addresses of wifi devices (within range) even when not on the same network, but it doesn't really serve any practical purpose to try to randomize/obfuscate them in a home environment.

The reason that MAC address randomization has become a de facto standard practice is more to do with preventing people/systems from tracking you when you are out and about. For example, the MAC of your phone could be used by someone aggregating information from retail businesses where they would then be able to paint a picture of your habits/needs/interests based on where you have been (i.e. you went to a specific clothing store, then had coffee at a nearby cafe folllowed by a visit to a pharmacy near your home and a meal near that... continue this trend for a while and you can understand a lot about people).

At home, there is no real value in doing this. If your neighbors are so interested in your comings and goings, they'll probably simply watch for other telltale signs of your presence before they start sniffing MAC Addresses (i.e. watching your car, doors/windows, lights, etc.).

Since you control your network and you're not selling your data to aggregators, you really don't need to be concerned about the MAC address visibility of your devices on your home network.

slh · January 13, 2026, 5:21am

Let's be quite frank here, the only reason to redact MAC addresses (of your router's wireless cards) in public forums (like this one here), is that it can be used to gather your location (up to ~30m, thank you google, Apple, Microsoft and their mapping vans/ smartphones). Your neighbours already know where you are (because they're living right next door), they don't get any more advanced knowledge from the MAC address (well, they can also guess the manufacturer of your router, big deal) - even if you cycle MACs and ESSIDs regularly, to the extent of it becoming troublesome to yourself (~multiple times a day), they can still make an educated guess that it's you (because the other neighbours won't do the same - and you still stick out like a sore thumb).

MAC addresses are no safety mechanism, your neighbours don't get any advance knowledge by knowing them, nor would it help them in any way to attack you or weaken the security of your network. Even if you change MACs regularly, with an absurd frequency, they still see which (fake) MAC addresses you are using right now (immediately) and can spoof it - and do the same (~nothing) as with the real-real sticker MAC address. There's nothing to win here.

RSHARM · January 13, 2026, 6:51pm

With most ISP in NA/Euro giving thier router ablity to track people via wifi I guest the also have a hidden monitor mode to capture devices

psherman · January 13, 2026, 6:55pm

There are much more effective ways for various entities to track someone if they want. But trying to obfuscate the MAC addresses of your hosts behind your own router is only going to make your own life more difficult while doing little (or more likely nothing) to stop other tracking that might be happening in reality.

You've crossed into tin-foil hat territory...

RSHARM · January 14, 2026, 7:57am

I disagree, emitting my MAC frames in air for anyone to record when Random MAC exists is bad idea for privacy. Only problem is Wireless/LAN uses it to ID stations for FW/DHCP. Is WPA3-enterprise RADIUS a solution ?

psherman · January 14, 2026, 8:00am

If you can install 802.1x certificates on all your devices, yes, maybe.

But this is an extremely complicated thing to setup. And given how badly mangled your existing configuration looks, I have doubts that this would work properly for you.

krazeh · January 14, 2026, 2:19pm

Why (specifically when at home)? What use is that information to anyone?

RSHARM · January 14, 2026, 2:28pm

Neighbors can spy

krazeh · January 14, 2026, 2:30pm

Spy on what exactly? What do you think they can do with a MAC address that they would not otherwise be able to do?

RSHARM · January 14, 2026, 2:37pm

X device sends X type data of X size at X time can be used for psycho-profiling and habit tracking for crime.
See the type of traffic.
and also sees the LAN's unencrypted communication.

krazeh · January 14, 2026, 2:50pm

Are you connecting over wifi without using any encryption? If you are using encryption (as you should be), how do you think knowing the MAC address would allow an outside observer to crack that encryption and view the transmitted data? And how do you think they’d be able to get access to unrelated traffic within the wired LAN?

RSHARM · January 14, 2026, 4:37pm

I thought one can see the traffic over WPA2 using Wireshark

krazeh · January 14, 2026, 4:50pm

You would possibly be able to see packets being sent over WiFi but they would be encrypted. You wouldn’t know what the content was. That’s the point of encrypting the connection.