What is MAC Randomization
"Mac randomization is a privacy-enhancing technique that periodically changes the unique identifier of a device's network interface, known as the MAC address, making it harder to track and identify the device. Users can protect their privacy using random MAC addresses and mitigate the risk of unauthorized parties tracking their network activities."
MAC Randomization vs. Private MAC
Your device may have a private MAC address and not randomizing. In this case, running it on your network should be okay. (until you see that MAC address changes)
Why should MAC randomization be off on "your" home or business network"?
When your device uses MAC randomization, it continuously changes its unique identifier, or "MAC," on a network. While this might initially seem like a good way to protect your privacy, it actually weakens security. Hackers can exploit this constant identifier change to carry out attacks, intercept data, or gain unauthorized access without leaving a trace. It becomes difficult to monitor and control network access effectively, leaving your device more vulnerable to malicious activities.
- This randomization can be malicious. It is a way to bypass internal controls and monitoring. (including kids trying to look at things they shouldn't)
- Making network management much more difficult. With MAC randomization, there is no way you will get an accurate account of devices in a network, and applying rules to them will be much more difficult.
- Network performance will also be impacted if a network device like Firewalla tracks devices. For example, if your network is a /24, it will only take 255 times for a device to drain the DHCP table.
How to turn off MAC Randomization?
MAC Randomization is SSID based. Turning it off in your network will continue you from enabling it in other Wifi networks, such as Public WiFi.
Note: After the MAC Address randomization is turned off, the device will be discovered as a new device on the next connection to the network.
iOS
- Open the Settings on your iPhone, iPad, or iPod, then tap Wi-Fi or WLAN.
- Tap the information button
next to the network monitored by Firewalla. - Turn off Private Address.
- Re-join the network.
See more details from Apple: https://support.apple.com/en-us/HT211227
Android
- Open the Settings.
- Tap Network & Internet -> Wi-Fi.
- Tap the gear icon associated with the network monitored by Firewalla.
- Tap MAC address type.
- Tap Phone MAC.
- Re-join the network.
Windows
- Select the Start button, then select Settings > Network & Internet > Wi-Fi > Manage known networks.
- Choose the network monitored by Firewalla, then select Properties, Turn off Use random hardware addresses for this network.
- Re-join the network.
See more details from Microsoft: https://support.microsoft.com/en-us/help/4027925
What if I can't turn MAC Randomization off?
If, for some reason, the manufacturer of the device does not have the option to turn off MAC randomization, and you still want to run the widget on your network
- Use network segmentation to quarantine these devices on another network.
- If you can not segment, you still can use the firewalla new device quarantine to manage these devices.
- If a device randomizes its MAC very often, you will need to watch out and make sure your DHCP space doesn't get used up. (if this happens, you should just remove that device from your network)
Comments
10 comments
How parental controls can be effective if kids on their iphone keep using private Mac address? Just bought FWG and trying to find a solution to this issue. Is there an option in FWG to implicitly deny any new Mac address?
@Zeeshan, the best way is always talking to the kids first. If that fails, you should turn on this feature, https://help.firewalla.com/hc/en-us/articles/360058853313-Firewalla-New-Device-Quarantine
Device quarantine will block all new devices from accessing internet until you approve
@Zeeshan in addition to the suggested solution by @Firewalla, I believe 2 other methods can further help with this as well as give you additional traffic control options:
A.) Strongest solution for this and securing your networks in general that I’m aware of that’s also relatively practical to implement is:
Get a Wi-Fi AP that has both a built-in radius server and VLAN support, and use WPA2-AES (Enterprise) or newer Enterprise Wi-Fi security which is generally the strongest practical way of identifying each unique user on any Wi-Fi network.
Use this Enterprise security on SSID’s that have user-configurable devices (I.e. non-IOT devices, and put those on a separate VLAN & SSID. Use mdns forwarding between subnets if required).
I suggest an HP/Aruba IAP access point used from eBay. These are locally controllable/configurable, have a built in RADIUS server, and they do not require license fees in order to download the latest firmware, and while they are no longer being made they are still supported for a few more years.
OR
B.) if you don’t want to use wifi enterprise security, just Get a VLAN aware wireless Access Point and give the kids their own SSID associated with a unique VLAN #. This way firewall rules can just be applied to the entire VLAN of that SSID.
Requires not telling the kids the password to the other SSID used by the parents on a different VLAN, and making sure the kids cannot get the password from your other devices (e.g. a Wi-Fi password on one unlocked iPhone can be shared with another iPhone/iPad by to holding them next to each other)
In either case I would still auto quarantine as @Firewalla suggests.
Zeeshan Yousuf
I have found the quarantine to be very flaky and unreliable.
Quarantined devices are usually not actually blocked from anything.
In fact Firewalla in general is not very reliable, and rules/blocks are often just not working in general.
@Russ, can you give an example of quarantine not blocking? (and also double check if you have rules applied to the quarantine to make sure they are blocking or configured to do what you want to do?)
As of general rules not working, need an example too.
I would have thought this is self explanatory.
EXAMPLE: a new device connects to the network.... and nothing is blocked, it has full access to the internet.
If you select the device in firewalla, it says it is quarantined, and internet access is blocked.
This doesn;t just apply to quarantine either, it applies to blocks in general. Enabling blocks, even the entire internet access block, often has no effect.
Can you please check the rules or the rules applied to the quarantine group? do you see block internet rule on it? if it does and your device can still talk to the internet, please contact support, likely something else is going on
the quarantine group has all internet access blocked by default.
But I think you are completely missing the point here. As stated above , blocks in general often have no effect, not just for quarantine.
as in go to any device, and click one of the block buttons, and it might have no effect whatsoever.
I have already contacted support, I spend many months going back and ofrth repeating the same steps again and again and again.... and got nowhere.
The firewalla is just unreliable and useless for parental control, so I gave up.
I tried to claim a refund, but due to many months support dragged the ticket on for, this put me outside the warranty period, so I was told tough luck,
Russ, I am looking at your cases; the issue is very likely that your router is incompatible with Firewalla Red's simple mode. Our staff has suggested using the DHCP mode instead, and most of the time, this will fix the issue.
This article here explains the modes https://help.firewalla.com/hc/en-us/articles/115004292514-How-does-Firewalla-Intercept-Traffic-Which-Firewalla-mode-to-use-
And this explains DHCP mode https://help.firewalla.com/hc/en-us/articles/115004304114-Everything-about-Firewalla-DHCP-Mode-
I cannot use DHCP mode, it doesn't work properly and causes even more issues.
I have mentioned this dozens of times in my tickets.
Please sign in to leave a comment.