Strategies blocking devices in firewall in 2022 when all mobile devices have spoofed MAC


What are the strategies people use to block devices from the WAN, when practically all mobile devices have MAC address spoofing deployed by default.


PS: This is for home use, need to block teenage kids and their friends...

Don't hand out the access credentials?

(the enterprise solution would be IEEE802.1X with a RADIUS server and dynamic ticketing).

1 Like

Just create a separate SSID and let them use that. However, then you ensure that that SSID has something like AdGuardHome to do filtering on it and thus they get "kids restricted" internet. There is a opkg version available. There is also a manual install thread. You can also enforce safe search and other features.

(you can also adblock with it but i'm assuming what you want off the bat is kid safe network) You can do exceptions for adults via client management. Thus adults dont get filtered internet.

Ideally having AGH do your dhcp would be better but OpenWrt's dhcp is far more powerful and the AGH team are still refactoring their software to better handle more diverse setups. Thus the compromise and slightly more complex install procedure we use to do AGH filtering but keep the power of OpenWrt's dhcp.


Guest/IoT wireless networks on their own subnet, and firewall zone rules to block access to other guest networks, and the main network.

1 Like

Though it requires another device, pi hole’s group management can be effective here, while keeping your network simple.

Make the default network limited and had more open networks for non-spoofed devices.

Did you mean LAN?

Usually, most people only see one MAC on thier WAN - that of their ISP's equipment/gateway.

Otherwise if LAN, I agree with this. Make an SSID for the teens and thier friends to use.

Got a country house in the middle of nowhere, some 20+ ppl tend to hang around during summer including quite some kids and teens.

Property is served by single 4G connection, OpenWRT router and some AP's. Letting kids go wild with their phones is a bad idea, primary bandwidth wise... parenting issues as well.

My solution is to enforce default limit on WAN download/upload speed to 1 Mbit/sec per client, using nft-qos. And then whitelist selected devices for unlimited speed, for people who work remotely, etc.

1 Mbit/s is enough to chat, upload random photo, perhaps watch some Youtube in crappy quality. Teens also tend to get angry, complain about crappy internet, throw their phones in a corner and then go outside to do some outdoors stuff. Win-win, right?


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.