Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Mismatched MAC address  (Read 371 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Mismatched MAC address
« on: April 29, 2021, 12:25:18 AM »

One of my iPads shows a certain value for "wi-fi" MAC address in the relevant iPadOS settings page but when I look at what my router has received from that machine as part of a DHCPv4 query the MAC address recorded by the router doesnít match that shown on the iPad. He iPad settings value is bogus. The Firebrick DHCPv4 status listing gives the expected IPv4 address for the iPad. If I set up MAC filtering on my WLAN to use the MAC address displayed in the iPadís settings page then the iPad fail to connect to the WLAN as the MAC address doesnít match that required by the WAP, and the WAPís "stations" display lists the truth, concurring with the Firebrickís idea of what MAC address the iPad is truly sending out.

Why would you display a lie in iPad Settings? I double-checked that this isnít the MAC address for the wrong NIC - thereís one for the Bluetooth NIC ?

I seem to remember something about Apple sending out bogus addresses on the Tube in London for Privacy reasons, to prevent evil tracking. How does that work? A bit of googling and I read that there is some o/off setting that is I think per-SSID that can turn off the generation of bogus MAC addresses. I donít understand that one bit. How is that supposed to work on a WLAN with MAC filtering implemented, as mine is. (And yes, I do know itís a bogus form of security. Thatís not what Iím using it for.) But in any event, would that explain the bogus displayed value in settings ?
« Last Edit: April 29, 2021, 12:36:47 AM by Weaver »
Logged

licquorice

  • Reg Member
  • ***
  • Posts: 782
Re: Mismatched MAC address
« Reply #1 on: April 29, 2021, 08:43:25 AM »

Is it due to Apple's wheeze of MAC randomisation introduced in IOS14 https://www.techrepublic.com/article/how-to-manage-or-disable-mac-randomization-in-ios-and-ipados-14/
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Re: Mismatched MAC addressn
« Reply #2 on: April 29, 2021, 11:27:30 AM »

iOS 14 has been a nightmare. A new iPad could not be installed on my LAN because I rely on having known predictable MAC addresses. Had to change that completely today - gruesome job reconfiguring my router and WAPs on my birthday. They should have defaulted to the old behaviour during installations and only after installation should they ask you if you want to use this new randomisation feature. I never new about it - I though that it was for public WLANs only, like the one in the Tube in London.

I donít see though why itís lying in the Settings display about the IPv4 address that itís currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.

The only way I can see to get predictable IPv4 addresses is to set them up manually in Settings, fixed, by hand on every machine, like in the 1970s, rather than using DHCPv4 as I currently do. Currently I have a fixed database of MAC address-to-IPv4 address mappings set up in my router to control DHCPv4 individual assignments, with an alloc-pool of ten (currently) IPv4 addresses for unknown visitor machines. The advantage of using DHCPv4 this way is convenience - central administration of the IPv4 addresses, but itís also a single point of failure, although nowadays this is not such a big deal as we now also have IPv6 as a totally robust alternative, rock solid in this respect. Getting rid of DHCPv4 removes a security weak link too I suppose, so itís not all bad. Am I missing something here though? Is it really the right way to go, going to manually-assigned IPv4 addresses?
« Last Edit: April 29, 2021, 11:31:52 AM by Weaver »
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2375
    • Broadband History, Thinkbroadband Quality Monitors & Zen Referral Link
Re: Mismatched MAC address
« Reply #3 on: April 29, 2021, 12:41:54 PM »

I donít see though why itís lying in the Settings display about the IPv4 address that itís currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.

In Android you just go to the saved network, Advanced and can specify "Use phone MAC" for that SSID.  I do think it should ask you before connecting to a new SSID though as its kinda annoying seeing it show up as an unknown device on my LAN until my monitoring resets at midnight.

What I'm really curious about though is how the random MAC works in the first place.  I assume its not totally random but must be a reserved pool of MACs for this purpose?  How does the system avoid conflicting with another device on the network using the same randomising system?
Logged
INTAKE (ECI) 2x Home Hub 5A OpenWrt:  1x Zen,1x Plusnet Hauwei B535-232: Voxi 4G Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD + Honor Router 3
Ping Quality Monitors & Zen Referral

digbey

  • Member
  • **
  • Posts: 44
Re: Mismatched MAC addressn
« Reply #4 on: April 29, 2021, 05:00:12 PM »

iOS 14 has been a nightmare. .....

I donít see though why itís lying in the Settings display about the IPv4 address that itís currently using. That was what was confusing me, that and not knowing about this horrible iOS 14 feature.

To restore the use of the fixed MAC address, turn off private address.

See this article for how this works.

https://support.apple.com/en-us/HT211227
Logged

meritez

  • Reg Member
  • ***
  • Posts: 415
Re: Mismatched MAC addressn
« Reply #5 on: April 29, 2021, 06:31:56 PM »

To restore the use of the fixed MAC address, turn off private address.

See this article for how this works.

https://support.apple.com/en-us/HT211227

Nice that you can do that per SSID
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Re: Mismatched MAC address
« Reply #6 on: April 29, 2021, 09:19:37 PM »

Referring to what digbey said, the worst nightmare is that you cannot connect to the WLAN if you have MAC address filtering in the WAPs, because you have to have completed the iOS installation before you can get into settings to switch the randomisation off. The obvious thing would be to disable the feature during installation. They had the wit to do the right thing during an upgrade installation. Incredible.
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2375
    • Broadband History, Thinkbroadband Quality Monitors & Zen Referral Link
Re: Mismatched MAC address
« Reply #7 on: April 30, 2021, 12:00:42 AM »

As MAC filtering is a false sense of security, I instead use the paranoid approach of having a little monitor next to me that displays all connected clients at all times.  This is one of the reasons IPv6 didn't work for me as I also have traffic monitoring per-client and that doesn't work on IPv6.
Logged
INTAKE (ECI) 2x Home Hub 5A OpenWrt:  1x Zen,1x Plusnet Hauwei B535-232: Voxi 4G Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD + Honor Router 3
Ping Quality Monitors & Zen Referral

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Re: Mismatched MAC address
« Reply #8 on: April 30, 2021, 04:13:32 AM »

The only reason I used MAC filtering is to prevent my beloved from giving out the sacred SSID password - for the main SSIDs that we use ourselves - to guests, who should be getting only the guest SSID password, for visiting relatives / friends. I am paranoid about dubious machines attacking the LAN infrastructure, such as an attack exploiting DNS and so the guest WLAN is isolated at L2 from everything else such as the main LAN and guests can only access the internet and the router, not other machines in the LAN, be they wired or wireless.

If my dearest were to give out the sacred password then boxes trying to connect would fail because of the MAC filtering, so thatís a way of requiring me to ok every addition to the main SSIDs.

Anyway, due to the pain in the rump that is iOS 14, I will just live without this troublesome MAC filtering feature of mine and make life a bit easier for myself by getting rid of it.
Logged

benji09

  • Reg Member
  • ***
  • Posts: 140
Re: Mismatched MAC address
« Reply #9 on: May 01, 2021, 09:47:07 PM »

  Weaver, why don't you use the idiot approach and make your proper WiFi  password so long and complicated that nobody could possibly remember it, let alone give it out from memory to anyone. Then make your guest network password much shorter and simpler, so that it could be remembered easily?  Since, you don't have many neighbours to worry about, WiFi  security may not be that much of a problem. If your router is like my Netgear one that restricts guests to external internet access only, the security would be even better?
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Re: Mismatched MAC address
« Reply #10 on: May 02, 2021, 08:21:07 AM »

benji09 Already did so my friend, a long time ago. ;-) Great minds. Iím paranoid about malware-infected machines being brought in by guests. I set up what ZyXEL calls L2 isolation which allows me to restrict access only to a nominated list of mac addresses so the Firebrick router is the only thing guests can touch.
« Last Edit: May 02, 2021, 08:44:37 AM by Weaver »
Logged

benji09

  • Reg Member
  • ***
  • Posts: 140
Re: Mismatched MAC address
« Reply #11 on: May 04, 2021, 09:24:34 PM »


  I understand your security fears. But as I was told many years ago, any encryption can be broken with enough time and computing power.  From what I understand, the most vulnerable time was when the encrypted link was being set up. The advice given at the time was that encryption keys be changed very frequently to make things more difficult for intruders. Somebody I know, refuses to leave his WiFi on. Uses it only when there is no alternative, and runs the router WiFi at the lowest TX power possible. He does this because he thinks that the WPA2 specs are not very secure. But how far do you go?
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2375
    • Broadband History, Thinkbroadband Quality Monitors & Zen Referral Link
Re: Mismatched MAC address
« Reply #12 on: May 04, 2021, 11:47:30 PM »

Bottom line is MAC filtering is largely pointless, as all clients send their MAC address over the air unencrypted.

If someone has made the effort to crack your WiFi password, I'm pretty sure having to spend a few minutes sniffing for a valid MAC address is not going to phase them.
Logged
INTAKE (ECI) 2x Home Hub 5A OpenWrt:  1x Zen,1x Plusnet Hauwei B535-232: Voxi 4G Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD + Honor Router 3
Ping Quality Monitors & Zen Referral

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9824
  • Retd sw dev; A&A; 3 ◊ 7km ADSL2; IPv6; Firebrick
Re: Mismatched MAC address
« Reply #13 on: May 05, 2021, 05:27:34 AM »

Agree with Alex. And I knew this already. As I said, it wasnít for (this kind of) security, but part of an administrative need. I have no neighbours in earshot, although a new house has gone up next door, some distance away, but my incredibly thick (~2m !) double stone house wall is blocking access in that direction.
Logged