Variable in Block MAC Address

  1. To block Specific OUI
  2. use wildcard character for Mac Address allow list ?
    Example - Allow all except - F8:10:93:::**
  3. for example A3:2X:BC where X can be anything
  4. A3:Y4:E2 where Y can be e,2,A,c


  • On wireless?
  • On firewall?
  • Etc.?

Neither iptables or nftables (firewall), nor hostapd (wireless mac lists) support wildcard matching, which makes this feature request unimplementable.

1 Like

Did you try with arptables? Or the idea is to have it in the web interface?

This is from the man page:

-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet. hwaddr (and mask, if specified) must consist of one or more 8-bit hexidecimal numbers, separated by ':' characters. If the mask is not specified, it defaults to a number of 0xff octets equal to the length of the hwaddr specified, then 0s. The flags --source-mac , --src-hw , and --src-mac are aliases for this option.

The same is applicable to arptables-nft as well.

nvladimirov's reply above looks very promising.

Since you specifically mentioned blocking by OUI though, are you are looking for a NAC type solution such as what Cisco / ISE offers? ( ability to profile based on OUI and categorize as "Nortel Device, etc. ). If you are looking actually looking for a NAC-type solution PacketFence is a free / open source option you could integrate on a separate system.

If all you want do is block a a few OUI ranges though, maybe another option would be to request this as an enhancement to the existing BanIP package. BanIP (maintained by @dibdot ) is already designed to block ranges of IPs and has ability to block a manual list of specific MAC addresses. Perhaps it could be modified to use MAC ranges also.
For more info:

1 Like

Hi I can understand your use case as it would be handy.
I was trying to redirect/ block devices that use random MAC addresses conforming to RFC7042 by the IEFT.

There is other use cased for wildcard mac addresses listed in standards.

wild card on 48bit mac identifiers to a single word match could mean a list with 2⁴⁴ of a total list of 2⁴⁸ entries in reality.
ipset for example needs to match only from current hosts attached to the interface creating a file full of mac addresses is unrealistic.

I have tried to put in a request at the netfilter site for ipset but registrations are blocked and I have had no reply to registration.

That should be doable...stay tuned.

Edit: banIP-0.8.8 now supports MAC-ranges


I don't know if someone can request this of the netfilter people, I have tried.
OUI and Random mac address filtering sounds like a good idea.
With concerns of hardware with embeded spy capibilities it would be a great option to block such devices.

The spy device could simply use another MAC.

Random blocking?

Modern devices that connect to wifi can display their hardware MAC address or use Random mac addresses to reduce a privacy risk's and tracking of clients, this is actually standardized so one can detect them based on their MAC address bits in the prefix.

Random MAC

Yes I understand that, but how would you block it then - if it's random?

Are you asking to block all random MACs?

What you're explaining is indeed convention, but nothing (can) enforces it - there's no problem to cycle through 'real' MAC addresses randomly, without setting the bit.

Yes if devices attatch to the network with a random MAC address they could be blocked or actions preformed like a sandbox them to specific resources.

yes but consumer devices Iphones andriod devices conform to those standards.
it will force users to run with hardware mac or pose restrictions.
It is not perfect but is a idea

…just from a 5s search (first result, without digging any deeper).

Windows (on your desktop or notebook) will allow the same directly (the same goes for linux, no idea about MacOS/ iOS).

1 Like

Requires root an busybox a consumer device.generally would not have that.

I don't understand the point of the comment. Security thru obscurity (or trying to secure based on such methods) is usually frowned upon.

It seems to me, you'd always be adding new MAC combinations - 'til eventuality you blocked all OUIs.

Suggestion - just don't use WiFi (not being facetious, just offering a thought exercise regarding the feasibility of blocking all OUIs - to the point-of-the-absurd).

security through obsecurity can be used as a complementary solution alongside other methods but it can be a goot tol to under stand and manage things better in this case.

Some of the OUI are for example associated with vmware virtual servers, particular hardware, specific manufactures etc.
I can potentially use this sure it is not 100% fool proof but it is a tool.

Blocking random mac forces devices to use hardware MAC addresses and with apple devices for example I can then see dhcp hostnames and better manage my network.

Even if i dont use it as a blocking method I can still uses it to sort out traffic and understand it better.

Are you in the habit of allowing any and all devices to just connect to your network?

Blocking MAC addresses seems like using a sledgehammer to crack a nut. Disabling random MAC addresses isn't an automatic thing a device does if it can't connect, you still need to go and manually change that. And for devices that you don't control you can just as easily set up guest networks to limit their access to any trusted resources.

1 Like

You are right I'm not denying that but I plan to use it as a means of less intervention on my home network.
I don't want to block family member who may turn up at my house and attatch to my wifi just push them to a kids_lan if they use a random mac which is the default now on android and apple devices when attaching to a new network.
If they use a hardware mac It will allow them adult lan access except for specific known kids devices on the list of deny.

You can imagine my kids thinking forcing hardware mac is allowing them adult access but in reality, it is imposing restrictions.

My alternative is to only specific macs on the adults lan which requires more intervention and creating rules.

We are now in a world of flippers and other such devices that can eavesdrop WIFI passwords by creating fake networks, cellphones and apps can display QR codes to share wifi passwords for enterprise WIFI the list goes on...

There's another alternative of just creating a guest network for guests to use. Doesn't require convoluted attempts to block random MAC addresses or any repeated intervention/rule changes. The concept of using MAC addresses for any sort of network security is just not a good one.