Adding security to your WIFI network with a MAC whitelist.
- Jul, 11, 2013
- Keith Snazel
- IT Blog
- No Comments.
Below you will find a step by step how-to guide on adding a whitelist to a typical consumer router, but first a brief statement:
Easily defeated? – A MAC whitelist is another layer of protection that can be added to your WIFI network in an effort to keep unwanted devices out, it does NOT replace a strong WPA2 password, but compliments it. Whitelists are not perfect and a determined attacker could bypass them with enough effort. Should they be ignored for providing a false sense of security? Perhaps. I think while not complete protection a whitelist can be used, as one tool of many, to thwart the “drive-by” intruder.
How does a MAC whitelist work? Every internet-capable device has a unique ID code called a MAC address. How is this different from an IP address? An IP address can be re-assigned to any device while the MAC address is hard-coded to the device. A MAC whitelist is an inventory of known MAC addresses that are permitted or denied access to the WIFI network. If you have two smartphones and one laptop that connect to your WIFI network, then the MAC address of each device would be added to the router’s MAC whitelist. When a device tries to connect to the network, the router will compare the incoming MAC address against the whitelist and if there is a matching entry, it will permit that device to connect.
A reverse whitelist or “blacklist” denies defined MAC addresses onto the network. This is useful if you want to deny certain devices on one WIFI network, but allow it to connect to another. An example would be a workplace, which has both private and public WIFI. By denying the trusted device on the public WIFI, you force it to try to authenticate on the private network. Below I will outline how to build a typical whitelist that allows IPs to connect.
Procedure to build a MAC whitelist on a DD-WRT router:
- Log into the router.
- Click “Wireless… MAC Filter”
- Click “Enable” on “Use Filter:
- Click “Permit only clients listed to access the wireless network” on “Filter Mode”
- Click “Save”, Click “Apply Settings”
- Click button “Edit MAC Filter List”
- In the pop-up you can enter up to 256 MAC addresses. The MAC address for your device can usually be found in the settings of the network or WI-FI depending on device. The format is six HEX addresses separated by a colon. Example: 08:00:69:E2:01:FE
- Click “Save”, Click “Apply Settings