Nowadays many devices support MAC Address Randomization, which enables the device to use a different random MAC address for each Wi-Fi SSID, to prevent the device's activity and movement being tracked on networks. It is often called Randomized MAC or Private Address.
With MAC Randomization turned on, Firewalla may not be able to track the device because it may be discovered as a new device when it uses another random mac address to connect to the network. All the existing rules configured for that device may not work any more.
For Firewalla to identify and protect your device properly, please follow the instruction below to turn off MAC Randomization on the network monitored by Firewalla.
MAC Randomization is per SSID based. Turning it off in your own network will not stop you from enabling it in other Wifi networks, such as Public WiFi.
Note: After the MAC Address randomization is turned off, the device will be discovered as a new device on the next connection to the network.
- Open the Settings on your iPhone, iPad, or iPod, then tap Wi-Fi or WLAN.
- Tap the information button next to the network monitored by Firewalla.
- Turn off Private Address.
- Re-join the network.
See more details from Apple: https://support.apple.com/en-us/HT211227
- Open the Settings.
- Tap Network & Internet -> Wi-Fi.
- Tap the gear icon associated with the network monitored by Firewalla.
- Tap MAC address type.
- Tap Phone MAC.
- Re-join the network.
- Select the Start button, then select Settings > Network & Internet > Wi-Fi > Manage known networks.
- Choose the network monitored by Firewalla, then select Properties, Turn off Use random hardware addresses for this network.
- Re-join the network.
See more details from Microsoft: https://support.microsoft.com/en-us/help/4027925
How parental controls can be effective if kids on their iphone keep using private Mac address? Just bought FWG and trying to find a solution to this issue. Is there an option in FWG to implicitly deny any new Mac address?
@Zeeshan, the best way is always talking to the kids first. If that fails, you should turn on this feature, https://help.firewalla.com/hc/en-us/articles/360058853313-Firewalla-New-Device-Quarantine
Device quarantine will block all new devices from accessing internet until you approve
@Zeeshan in addition to the suggested solution by @Firewalla, I believe 2 other methods can further help with this as well as give you additional traffic control options:
A.) Strongest solution for this and securing your networks in general that I’m aware of that’s also relatively practical to implement is:
Get a Wi-Fi AP that has both a built-in radius server and VLAN support, and use WPA2-AES (Enterprise) or newer Enterprise Wi-Fi security which is generally the strongest practical way of identifying each unique user on any Wi-Fi network.
Use this Enterprise security on SSID’s that have user-configurable devices (I.e. non-IOT devices, and put those on a separate VLAN & SSID. Use mdns forwarding between subnets if required).
I suggest an HP/Aruba IAP access point used from eBay. These are locally controllable/configurable, have a built in RADIUS server, and they do not require license fees in order to download the latest firmware, and while they are no longer being made they are still supported for a few more years.
B.) if you don’t want to use wifi enterprise security, just Get a VLAN aware wireless Access Point and give the kids their own SSID associated with a unique VLAN #. This way firewall rules can just be applied to the entire VLAN of that SSID.
Requires not telling the kids the password to the other SSID used by the parents on a different VLAN, and making sure the kids cannot get the password from your other devices (e.g. a Wi-Fi password on one unlocked iPhone can be shared with another iPhone/iPad by to holding them next to each other)
In either case I would still auto quarantine as @Firewalla suggests.
I have found the quarantine to be very flaky and unreliable.
Quarantined devices are usually not actually blocked from anything.
In fact Firewalla in general is not very reliable, and rules/blocks are often just not working in general.
@Russ, can you give an example of quarantine not blocking? (and also double check if you have rules applied to the quarantine to make sure they are blocking or configured to do what you want to do?)
As of general rules not working, need an example too.
I would have thought this is self explanatory.
EXAMPLE: a new device connects to the network.... and nothing is blocked, it has full access to the internet.
If you select the device in firewalla, it says it is quarantined, and internet access is blocked.
This doesn;t just apply to quarantine either, it applies to blocks in general. Enabling blocks, even the entire internet access block, often has no effect.
Can you please check the rules or the rules applied to the quarantine group? do you see block internet rule on it? if it does and your device can still talk to the internet, please contact support, likely something else is going on
the quarantine group has all internet access blocked by default.
But I think you are completely missing the point here. As stated above , blocks in general often have no effect, not just for quarantine.
as in go to any device, and click one of the block buttons, and it might have no effect whatsoever.
I have already contacted support, I spend many months going back and ofrth repeating the same steps again and again and again.... and got nowhere.
The firewalla is just unreliable and useless for parental control, so I gave up.
I tried to claim a refund, but due to many months support dragged the ticket on for, this put me outside the warranty period, so I was told tough luck,
Russ, I am looking at your cases; the issue is very likely that your router is incompatible with Firewalla Red's simple mode. Our staff has suggested using the DHCP mode instead, and most of the time, this will fix the issue.
This article here explains the modes https://help.firewalla.com/hc/en-us/articles/115004292514-How-does-Firewalla-Intercept-Traffic-Which-Firewalla-mode-to-use-
And this explains DHCP mode https://help.firewalla.com/hc/en-us/articles/115004304114-Everything-about-Firewalla-DHCP-Mode-
I cannot use DHCP mode, it doesn't work properly and causes even more issues.
I have mentioned this dozens of times in my tickets.
Please sign in to leave a comment.