Adding security to your WIFI network with a MAC whitelist.

Below you will find a step by step how-to guide on adding a whitelist to a typical consumer router, but first a brief statement:

Easily defeated? – A MAC whitelist is another layer of protection that can be added to your WIFI network in an effort to keep unwanted devices out, it does NOT replace a strong WPA2 password, but compliments it. Whitelists are not perfect and a determined attacker could bypass them with enough effort. Should they be ignored for providing a false sense of security? Perhaps. I think while not complete protection a whitelist can be used, as one tool of many, to thwart the “drive-by” intruder.

How does a MAC whitelist work? Every internet-capable device has a unique ID code called a MAC address. How is this different from an IP address?  An IP address can be re-assigned to any device while the MAC address is hard-coded to the device.  A MAC whitelist is an inventory of known MAC addresses that are permitted or denied access to the WIFI network.  If you have two smartphones and one laptop that connect to your WIFI network, then the MAC address of each device would be added to the router’s MAC whitelist.  When a device tries to connect to the network, the router will compare the incoming MAC address against the whitelist and if there is a matching entry, it will permit that device to connect.

A reverse whitelist or “blacklist” denies defined MAC addresses onto the network.  This is useful if you want to deny certain devices on one WIFI network, but allow it to connect to another.  An example would be a workplace, which has both private and public WIFI.  By denying the trusted device on the public WIFI, you force it to try to authenticate on the private network.  Below I will outline how to build a typical whitelist that allows IPs to connect.

Procedure to build a MAC whitelist on a DD-WRT router:

  1. Log into the router. 
  2. Click “Wireless… MAC Filter”
  3. Click “Enable” on “Use Filter:
  4. Click “Permit only clients listed to access the wireless network” on “Filter Mode”
  5. Click “Save”, Click “Apply Settings”
  6. Click button “Edit MAC Filter List”
  7. In the pop-up you can enter up to 256 MAC addresses.  The MAC address for your device can usually be found in the settings of the network or WI-FI depending on device.  The format is six HEX addresses separated by a colon. Example: 08:00:69:E2:01:FE
  8. Click “Save”, Click “Apply Settings

dd-wrt-mac-filter

dd-wrt-mac-filter-list

dd-wrt-mac-filter-list

10 Responses so far.

  1. Keith Snazel says:

    I approve of this message!

  2. Josh says:

    Is there a way to copy a whitelist from one router to another…say if you were trying to set up a network with several AP’s and wanted the same MAC addresses in each whitelist?

    • Keith Snazel says:

      Good question Josh. If you mean an automatic sharing of a common whitelist so that updating one Access Point updates all of the AP then the question is a little more involved. For this scenario you are moving towards a commercial solution where all of the access points are centrally managed. Aruba Networks does a nice job of this, here is a link:
      http://www.arubanetworks.com/products/access-points/

      If you mean a residential APs then you would probably have to do this manually with a “Cut and Paste” solution. Perhaps it is possible to take advantage of the DD-WRT command line / shell to automate this task but I haven’t looked closely at to say one way or another. Good luck.

  3. Kaushal.kate says:

    I have Tp Link”s router so it will be same setting for tthe Tp link ????

  4. Jared says:

    Hi I’m having a little problem here. I accidentally activated the white list and now I can’t find my router meaning I put its address in to configure settings but it doesn’t show up, what do I do?

    • Keith Snazel says:

      Hi Jared. Have you enabled the whitelist before putting your own machine on it? If this is the problem I suggest you plug into your router with an Ethernet cable thus bypassing the whitelist and try again. If that does not work you may have to reset the router to factory default.

  5. Abaximan says:

    Works perfect with laptops, but I have issue with android devices as soon I enable “Permit only clients listed to access the wireless network”. They loose connection right afterward…and also MAC addresses for all android devices looks weird in wifi mac list. I’m just another amateur :), but i think there should ne more numbers and less zeroes. All android MAC addresses looks like this: 00:00:00:F7:00:00. Any idea why? Oh…I’m using Buffalo WHR-600D btw.

    • Keith Snazel says:

      I’m glad you found these instructions helpful.

      Yes that MAC address you listed is incorrect. On my Android device I can find the WIFI MAC by selecting Settings… General… About Phone… Hardware Info. Basically dig through the Android settings to the section that lists info about the device and look for the MAC address. Good luck!
      Keith

  6. qqtpie says:

    Perfect for when my son is grounded from the internet 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *