Kitz Forum
Computers & Hardware => Apple Related => Topic started by: Weaver on April 29, 2021, 12:25:18 AM
-
One of my iPads shows a certain value for "wi-fi" MAC address in the relevant iPadOS settings page but when I look at what my router has received from that machine as part of a DHCPv4 query the MAC address recorded by the router doesn’t match that shown on the iPad. He iPad settings value is bogus. The Firebrick DHCPv4 status listing gives the expected IPv4 address for the iPad. If I set up MAC filtering on my WLAN to use the MAC address displayed in the iPad’s settings page then the iPad fail to connect to the WLAN as the MAC address doesn’t match that required by the WAP, and the WAP’s "stations" display lists the truth, concurring with the Firebrick’s idea of what MAC address the iPad is truly sending out.
Why would you display a lie in iPad Settings? I double-checked that this isn’t the MAC address for the wrong NIC - there’s one for the Bluetooth NIC ?
I seem to remember something about Apple sending out bogus addresses on the Tube in London for Privacy reasons, to prevent evil tracking. How does that work? A bit of googling and I read that there is some o/off setting that is I think per-SSID that can turn off the generation of bogus MAC addresses. I don’t understand that one bit. How is that supposed to work on a WLAN with MAC filtering implemented, as mine is. (And yes, I do know it’s a bogus form of security. That’s not what I’m using it for.) But in any event, would that explain the bogus displayed value in settings ?
-
Is it due to Apple's wheeze of MAC randomisation introduced in IOS14 https://www.techrepublic.com/article/how-to-manage-or-disable-mac-randomization-in-ios-and-ipados-14/
-
iOS 14 has been a nightmare. A new iPad could not be installed on my LAN because I rely on having known predictable MAC addresses. Had to change that completely today - gruesome job reconfiguring my router and WAPs on my birthday. They should have defaulted to the old behaviour during installations and only after installation should they ask you if you want to use this new randomisation feature. I never new about it - I though that it was for public WLANs only, like the one in the Tube in London.
I don’t see though why it’s lying in the Settings display about the IPv4 address that it’s currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.
The only way I can see to get predictable IPv4 addresses is to set them up manually in Settings, fixed, by hand on every machine, like in the 1970s, rather than using DHCPv4 as I currently do. Currently I have a fixed database of MAC address-to-IPv4 address mappings set up in my router to control DHCPv4 individual assignments, with an alloc-pool of ten (currently) IPv4 addresses for unknown visitor machines. The advantage of using DHCPv4 this way is convenience - central administration of the IPv4 addresses, but it’s also a single point of failure, although nowadays this is not such a big deal as we now also have IPv6 as a totally robust alternative, rock solid in this respect. Getting rid of DHCPv4 removes a security weak link too I suppose, so it’s not all bad. Am I missing something here though? Is it really the right way to go, going to manually-assigned IPv4 addresses?
-
I don’t see though why it’s lying in the Settings display about the IPv4 address that it’s currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.
In Android you just go to the saved network, Advanced and can specify "Use phone MAC" for that SSID. I do think it should ask you before connecting to a new SSID though as its kinda annoying seeing it show up as an unknown device on my LAN until my monitoring resets at midnight.
What I'm really curious about though is how the random MAC works in the first place. I assume its not totally random but must be a reserved pool of MACs for this purpose? How does the system avoid conflicting with another device on the network using the same randomising system?
-
iOS 14 has been a nightmare. .....
I don’t see though why it’s lying in the Settings display about the IPv4 address that it’s currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.
To restore the use of the fixed MAC address, turn off private address.
See this article for how this works.
https://support.apple.com/en-us/HT211227
-
To restore the use of the fixed MAC address, turn off private address.
See this article for how this works.
https://support.apple.com/en-us/HT211227
Nice that you can do that per SSID
-
Referring to what digbey said, the worst nightmare is that you cannot connect to the WLAN if you have MAC address filtering in the WAPs, because you have to have completed the iOS installation before you can get into settings to switch the randomisation off. The obvious thing would be to disable the feature during installation. They had the wit to do the right thing during an upgrade installation. Incredible.
-
As MAC filtering is a false sense of security, I instead use the paranoid approach of having a little monitor next to me that displays all connected clients at all times. This is one of the reasons IPv6 didn't work for me as I also have traffic monitoring per-client and that doesn't work on IPv6.
-
The only reason I used MAC filtering is to prevent my beloved from giving out the sacred SSID password - for the main SSIDs that we use ourselves - to guests, who should be getting only the guest SSID password, for visiting relatives / friends. I am paranoid about dubious machines attacking the LAN infrastructure, such as an attack exploiting DNS and so the guest WLAN is isolated at L2 from everything else such as the main LAN and guests can only access the internet and the router, not other machines in the LAN, be they wired or wireless.
If my dearest were to give out the sacred password then boxes trying to connect would fail because of the MAC filtering, so that’s a way of requiring me to ok every addition to the main SSIDs.
Anyway, due to the pain in the rump that is iOS 14, I will just live without this troublesome MAC filtering feature of mine and make life a bit easier for myself by getting rid of it.
-
Weaver, why don't you use the idiot approach and make your proper WiFi password so long and complicated that nobody could possibly remember it, let alone give it out from memory to anyone. Then make your guest network password much shorter and simpler, so that it could be remembered easily? Since, you don't have many neighbours to worry about, WiFi security may not be that much of a problem. If your router is like my Netgear one that restricts guests to external internet access only, the security would be even better?
-
benji09 Already did so my friend, a long time ago. ;-) Great minds. I’m paranoid about malware-infected machines being brought in by guests. I set up what ZyXEL calls L2 isolation which allows me to restrict access only to a nominated list of mac addresses so the Firebrick router is the only thing guests can touch.
-
I understand your security fears. But as I was told many years ago, any encryption can be broken with enough time and computing power. From what I understand, the most vulnerable time was when the encrypted link was being set up. The advice given at the time was that encryption keys be changed very frequently to make things more difficult for intruders. Somebody I know, refuses to leave his WiFi on. Uses it only when there is no alternative, and runs the router WiFi at the lowest TX power possible. He does this because he thinks that the WPA2 specs are not very secure. But how far do you go?
-
Bottom line is MAC filtering is largely pointless, as all clients send their MAC address over the air unencrypted.
If someone has made the effort to crack your WiFi password, I'm pretty sure having to spend a few minutes sniffing for a valid MAC address is not going to phase them.
-
Agree with Alex. And I knew this already. As I said, it wasn’t for (this kind of) security, but part of an administrative need. I have no neighbours in earshot, although a new house has gone up next door, some distance away, but my incredibly thick (~2m !) double stone house wall is blocking access in that direction.