Used to quite happily restrict kids time using MAC address of the iDevices
After upgrade to iOS14, it simply does not work, as the private address changes every 12 hours.
So different MAC, different IP from DHCP
Is there any other way to do restrictions?
Or deny obtaining IP if NOT REAL MAC is used? (none of the private addresses are real MAC as seen in MAC Address Lookup )
MAC Address Lookup Result - D6:A5:B6:86:1E:58
The result could not be obtained
Which forces the user back to using Real MAC only (turn off Private bit)
Otherwise one could use (last resort) Hostname, but I cannot see how it could be used in Firewall Rule
Simply disable the option?
I have a iOS device that updated to 14.x some days ago and started using this random MAC-address.
Go into setting of the phone, to the Wireless settings and disable “Private Network” and done…
Easy if the iOS devices are under your own control.
Please read carefully, if one tries Time Restrictions then definitely not on a device that one controls physically…
So I used this and firewall rule that does use src-address-list= (where the list contains FDQN)
That should work… I hope
Even if it does, it is very much “poor’s man” solution, because it relies on IP being obtained from DHCP (so DNS gets updated)
Change to static & the whole lot is no longer valid. At which point it is cat & mouse chase…
I read : Used to quite happily restrict kids time using MAC address of the iDevices
So … you have nothing to say about idevices of your KIDS ? Strange world we live in then.
Perhaps my interpretation is wrong, and you mean something else with “restrict kids time”
The “kids control” feature on Mikrotik only uses MAC-addresses for identification (and then the IP is retrieved from the ARP-table using the MAC you provided).
There seems, as far as the Wiki is up-to-date, no way to use other criteria.
So yeah … then you are out of luck with a Mikrotik product.
Alternative is create a separate Wireless SSID for kids and control the SSID. Simply disable it on certain times.
Depends on the wireless infra you have offcourse, but that may also be a route.
I don’t have any iOS device to test it, but quick search suggests that these random MAC addresses should correctly set the local bit. If you include bridge in your config (you could use one as “wrapper” for wlan interface, if you don’t already have some), then bridge filters have option for matching source MAC address with mask. I never used it myself, but it looks like it could be used to block all “fake” addresses.
I guess what @Sob had in mind with “local bit” is bit denoting locally administered address which is second-to-LSB in most significant octet of MAC address. If MAC address is represented as series of HEX digits (like xY:xx:xx:xx:xx:xx), then it’s octet Y carrying this bit. If the bit is set, then digit Y will be any of the following: 2, 3, 6, 7, A, B, E, F
Sure, I could make yet another SSID (already have 5, but not using Mikrotik for that) and control that.
Pseudo MAC is really Random and unless there is something that can be build into RouterOS that does the check, I see no easy way that the fact could be used for “bridge filters matching source MAC address with mask”
edit:
So would we could go with mask(s) in /interface bridge filter
https://www.blackmanticore.com/fc5c95c7 … 539852f8fb
Like private IP address ranges (defined in RFC 1918), there are also private MAC address ranges. These are called Locally Administered Address Ranges which are never used by devices or other vendors. MAC addresses in these ranges can be safely used, assuming they are unique within your network:
Kids are supposed to be technical savvy, at least that is what we want to achieve with Coderdojo and other Technics Academy. They learn to re-mix code and share workarounds. Unless you lock the smartphone with some control software (as in a company) like “Parental Control” they will ‘manage’ their smartphone from 9 year-old onwards.
What we have here is disruptive for many businesses and portal managers. The users suffer as well (MAC cookie for the portal to avoid repeated logon).
My connection authentications have been set up using WPA2-EAP/Enterprise/802.11x/RADIUS. The user is identified on whatever MAC without reentering credentials. But it is very hard to find a software that links that authentication to a portal. (And Fortinet’s RSSO is out of scope with a Mikrotik only network.)
I don’t know where you have the bridge, if wlan interface is part of it (in that case in-interface=ether2-master would be wrong) or if it’s separate device. When everything else is correct, src-mac-address=06:00:00:00:00:00/FF:00:00:00:00:00 would match 06-61-61-12-db-43, but if you want to have it universal, then src-mac-address=02:00:00:00:00:00/03:00:00:00:00:00 should do the trick (again, when everything else is right, port, bridge, ..).
One way to solve this problem is to use Static-only for the DHCP server. In this case, if users change their MAC address they will not be able to obtain an IP address. This will force them to disable the option in iOS settings. Also this will not work for all users, because some of them will set their IP manually just to try what will happen.
You should use wireless access list instead and authenticate only users with known MAC-addresses.
Or even better: put all known MAC’s to LAN vlan (that have internet access etc.), and all unknown MAC’s to some kind of Guest vlan where they don’t get any address or get a temporary one - to be able to add them quickly to access list if needed.
