MAC Filter Setting not working

mrkrokpacman
Grasshopper

I see some unrecognized devices connected to my WiFi 5GHz network and try to understand what are they.
I came to MAC address filtering and added the MAC addresses to the list + set the policy to 'Deny'
48 hours later the devices still there (DHCP lease time set to 24h).
Then I try to block my cell phone MAC - it's not affecting phone connectivity. Yes, I had to add it twice to both 2.4 and 5ghz network lists (that should be a separate thread and bug report to developers though)

MAC Filter Setting

You can control the Wi-Fi access to the USG using the below Mac-Filter settings.

SSID: (my SSID)

MAC Filtering Mode: Deny
Wi-Fi Control List(up to 64 items)
# Device Name MAC Address  

11a:db:51:73:de:031A:DB:51:73:DE:03 


I believe the 'Deny' policy in the MAC filtering control list should block traffic coming from the MAC addresses to the router, and a device should not get IP address and get any response from the router.
What the 'deny' policy actually affects?

How do I block any device from connecting to my WiFi networks? (Please do not suggest dumb workarounds like changing my WiFi password as soon as I see any unrecognized device)

Tech info:

System Hardware

Model: CGM4331COM
Vendor: Technicolor
Hardware Revision: 2.0

System Software Version

eMTA & DOCSIS Software Version: Prod_23.2_231009 & Prod_23.2_231009
Software Image Name: CGM4331COM_7.6p10s2_PROD_sey
Advanced Services: CGM4331COM
Packet Cable: 2.0
0 Kudos
7 Replies

How can I edit my post? Did not want to be rude in part o...

mrkrokpacman
Grasshopper

How can I edit my post? Did not want to be rude in part of workarounds 🙂
Does anyone know what type of devices/VMs can have such MAC addresses?
I have 2 unknown devices which I cannot block wit the SHAW router. They register to 2.4 and 5Ghz networks and have MAC addresses 1A:DB:51:73:DE:03 and A6:E2:AA:C4:43:D3. They obtain IPv4 and IPv6 addresses.
Wireshark does not see any traffic coming from it (except for ICMP replies if I ping them). ICMP replies sometimes DUP!. They have TTL=64.

NMAP scan shows no open ports (All 65535 scanned ports are closed).

If I only could block them with the router. But as I said the router fails to block devices by the MAC address even if configured to do so.

Thanks

0 Kudos
Reply
Loading...

Hi  , You only have a limited time maybe 10 mins I think...

g-idk
Master

Hi @mrkrokpacman , You only have a limited time maybe 10 mins I think to edit a published post,  On the right hand side of the post that you want to edit you should see a greyish circle with 3 dots inside it, click on this and if your still within the time frame, you should see an option for you to edit that post.  Hope that makes sense.  I'm not the really a heavy tech person on here but in regards to your inquiry about those devices, do you have any Rogers/Shaw tv boxes?, I ask because they might be the unknown devices that you are seeing, since they use wi-fi.  Sorry not much help otherwise.  

0 Kudos
Reply
Loading...

Thank you for your reply. No, I don't have any devices fr...

mrkrokpacman
Grasshopper

Thank you for your reply.

No, I don't have any devices from SHAW except for the router itself. Actually I walked around the house to see and recall any device I could ever connect to the WiFi networks and found nothing.

I moved in and got a NEW router as a new client in this house just about 2 month ago, so I really can remember what devices I entered the new WiFi passwords to. Those 2 MAC addresses seem to be fake, as they are not recognized on any website which could say the network card manufacturer be the MAC.

I need to figure out how to make the SHAW router respect its DENY list: Gateway > Connection > Wi-Fi > MAC Filter Setting > Wi-Fi Control List

It looks like this list is not taken into account, as I said before it still allows my phone to connect to the WiFi network and to the Internet through it when I try to block it there.

Any advice is welcomed,
Thank you

0 Kudos
Reply
Loading...

,  sorry but I'm totally drawn a blank here.  Maybe someo...

g-idk
Master

@mrkrokpacman ,  sorry but I'm totally drawn a blank here.  Maybe someone else will enter the conversation with some ideas, so you can get a resolution.  Take Care.  

0 Kudos
Reply
Loading...

-- what is the manufacturer of your mobile-phone? The iPh...

mdk
Legendary Grand Master

@mrkrokpacman -- what is the manufacturer of your mobile-phone?

The iPhone will, for "privacy" reasons, offer a different MAC-address each time that it sends a DHCP-request (that includes a MAC-address) to the DHCP-server. On the iPhone, you can disable this use of "random" MAC-addresses.  If your iPhone is sending "random" MAC-adddresses, you'll have to block every MAC-address inside the router.

After the DHCP-server assigns an IP-address to your phone, the MAC-address is NOT used for your Internet connectivity, until the time when your phone sends a "DHCP-renew" request to the router.

Thus, if you configure the router to block a MAC-address, you MUST restart your router (power-off/power-on) to make it "forget" what MAC-address(es) were previously connected. This forces your phone to issue a new DHCP-request, with a "new" MAC-address embedded.

So, filtering a MAC-address should prevent that device (computer, smart-phone) from receiving a DHCP-response, and thus gaining Internet access. 

If you leave home with your phone, and get out-of-range of your router, then, when you return home, your phone will send a "new" DHCP-request, rather than a "renew" DHCP-request, and may send a "random" MAC-address to your router.

 

 

 

0 Kudos
Reply
Loading...

I have android device, and the WiFi MAC randomization is...

mrkrokpacman
Grasshopper

I have android device, and the WiFi MAC randomization is turned off.

My question is not about getting IP addresses from the DHCP server.
The settings page has name "MAC filter setting", but it looks like it does not block any device listed in the 'DENY' list.

From the router help tooltip: "Deny: Wireless device in the "Wireless Control List" are not allowed to connect to gateway"
In my experience the 'DENY' rule should block the device from any interaction with the router, not only obtaining IP address. But this piece of Technicolor wonder shows completely different behavior.


DENY_not_working.jpg
[red - unknown device (added to the deny list)]
[green - my phone (added to the deny list)]

Just to recheck, I have rebooted the router, but both the phone and the unknown device reconnected without any issues.


I would like to hear from any user experiencing the same problem with this router (or how to actually block the device with a particular MAC address) As a last resort I would change the SSID and password 😞

P.S. I have not faced with the DOCSIS cable routers - is it possible to use my own router, or should its serials/ids be set on the SHAW side to be authenticated? I am thinking about using any other router with all settings uncovered, and not shifted to the mobile application (normal devices management, port redirection etc)

0 Kudos
Reply
Loading...

> I have rebooted the router, but both the phone and the...

mdk
Legendary Grand Master

> I have rebooted the router, but both the phone and the unknown device reconnected without any issues.

If your Android had received a DHCP-response before you rebooted the router, it will issue a "DHCP-renew" (not "DHCP-request") message to the router. The router may "recognize" the reconnection attempt, ignoring the "deny" rule.

Try powering-off your router, and then, on your Android phone, click to "forget" the WiFi connection.  Then, power-on your router, and then, on your Android phone, try to establish a WiFi connection from "scratch".

 

 

0 Kudos
Reply
Loading...