Nowadays many devices support MAC Address Randomization, which enables the device to use a different random MAC address for each Wi-Fi SSID, to prevent the device's activity and movement being tracked on networks. It is often called Randomized MAC or Private Address.
With MAC Randomization turned on, Firewalla may not be able to track the device because it may be discovered as a new device when it uses another random mac address to connect to the network. All the existing rules configured for that device may not work any more.
For Firewalla to identify and protect your device properly, please follow the instruction below to turn off MAC Randomization on the network monitored by Firewalla.
MAC Randomization is per SSID based. Turning it off in your own network will not stop you from enabling it in other Wifi networks, such as Public WiFi.
Note: After the MAC Address randomization is turned off, the device will be discovered as a new device on the next connection to the network.
iOS
- Open the Settings on your iPhone, iPad, or iPod, then tap Wi-Fi or WLAN.
- Tap the information button
next to the network monitored by Firewalla. - Turn off Private Address.
- Re-join the network.
See more details from Apple: https://support.apple.com/en-us/HT211227
Android
- Open the Settings.
- Tap Network & Internet -> Wi-Fi.
- Tap the gear icon associated with the network monitored by Firewalla.
- Tap MAC address type.
- Tap Phone MAC.
- Re-join the network.
Windows
- Select the Start button, then select Settings > Network & Internet > Wi-Fi > Manage known networks.
- Choose the network monitored by Firewalla, then select Properties, Turn off Use random hardware addresses for this network.
- Re-join the network.
See more details from Microsoft: https://support.microsoft.com/en-us/help/4027925
Comments
3 comments
How parental controls can be effective if kids on their iphone keep using private Mac address? Just bought FWG and trying to find a solution to this issue. Is there an option in FWG to implicitly deny any new Mac address?
@Zeeshan, the best way is always talking to the kids first. If that fails, you should turn on this feature, https://help.firewalla.com/hc/en-us/articles/360058853313-Firewalla-New-Device-Quarantine
Device quarantine will block all new devices from accessing internet until you approve
@Zeeshan in addition to the suggested solution by @Firewalla, I believe 2 other methods can further help with this as well as give you additional traffic control options:
A.) Strongest solution for this and securing your networks in general that I’m aware of that’s also relatively practical to implement is:
Get a Wi-Fi AP that has both a built-in radius server and VLAN support, and use WPA2-AES (Enterprise) or newer Enterprise Wi-Fi security which is generally the strongest practical way of identifying each unique user on any Wi-Fi network.
Use this Enterprise security on SSID’s that have user-configurable devices (I.e. non-IOT devices, and put those on a separate VLAN & SSID. Use mdns forwarding between subnets if required).
I suggest an HP/Aruba IAP access point used from eBay. These are locally controllable/configurable, have a built in RADIUS server, and they do not require license fees in order to download the latest firmware, and while they are no longer being made they are still supported for a few more years.
OR
B.) if you don’t want to use wifi enterprise security, just Get a VLAN aware wireless Access Point and give the kids their own SSID associated with a unique VLAN #. This way firewall rules can just be applied to the entire VLAN of that SSID.
Requires not telling the kids the password to the other SSID used by the parents on a different VLAN, and making sure the kids cannot get the password from your other devices (e.g. a Wi-Fi password on one unlocked iPhone can be shared with another iPhone/iPad by to holding them next to each other)
In either case I would still auto quarantine as @Firewalla suggests.
Please sign in to leave a comment.