MAC Cloning / Filtering Issue

Discussion in 'Tomato Firmware' started by aceton, Aug 15, 2014.

  1. aceton

    aceton Network Newbie Member

    Hi all,
    I have an special issue, that I would like to know, how to handle it or how to get rid of it:

    In my LAN I do have an WRT 54 GL with Tomato1.27. I do have activated the MAC Filter and only known MAC adresses, are allowed for LAN and WIFI.

    Now my neighbour provided me a MAC address, that should be his notebook for LAN Connector.

    What I did not know untill today was, that this MAC was not his Notebook, but another Wifi AP or WRT 54g.
    So he uses the Copy/clone MAC function to imitate the MAC, that was supposed to be his notebook and so he set up an Accesspoint with the MAC of his Router and for that, he was able to use any device with wifi and cable LAN via HIS Router to enter my internet.

    How can I prevent this, how can I , or what can I do in my router, to make sure, that the provided and entered MAC adress (Filter in my Router) is his notebook and not his router.

    are there any idea to solve this issue?

    My goal is to give him one LAN Port, where he can connect his notebook, and just this one.

    thank you for any ideas or hints where I could search for further ideas.

  2. Grimson

    Grimson Networkin' Nut Member

    You can't.

    Even if you could restrict the connection to only his notebook he could simply turn on internet connection sharing in windows, and use his notebook to share the connection with more devices.
  3. Siff

    Siff Serious Server Member

    +1: You can't - even if he brings the laptop and you verify that he gave you his laptop's MAC address, he can either clone it on his router or he can share the connection as described above and again connect all his stuff... :(

    What you can do is to limit his bandwidth, so his traffic will not harm yours. BTW, make sure that whatever access he has, he will have it through a separate, isolated VLAN, so he is not able to see your devices!

    Hope this helps.

    [Edit]: BTW, why you are using MAC filtering at all? It was touted as one of the ways to secure a WiFi network, but in reality it is very easy to sniff one (or all) of the "allowed" MAC addresses and use one of them to connect...
    Last edited: Aug 15, 2014
  4. aceton

    aceton Network Newbie Member

    Oh ok, thank you very much for your answers... I have to admit, I was not aware of those facts (sniffing, etc.).

    So there is no way to prevent a connected router or AP to clone a MAC? :-(

    isn't there another way to restrict the neighbours device to use my gateway and restrict it to exact this device or certain devices? Other ways than MAC Filters or so? Or it could be also helpful not to 100% secure or avoid the cloning but to make it harder for him to use a router or AP at the end of the other line.

    My aim is to longtermingly prevent him sharing my connection via his router with others. when he is sharing connection via Windows internet connection share, this will be ok for me, because it only will be practicable for himself and his devices, not for further devices of other neighbours or their guests. Otherwise he has to leave his device on 24/7 and he won't do that.

    The idea with isolated vlan sounds quite interesting... for further issues in my LAN... so do I think about seperating the Wifi access for my guests from my entire network. What do I have to look up for? just "VLAN" ? or any other keywords in addition? I would appreciate helpfull hints for that. I did not found any settings on the tomato firmware for VLAN... Does anybody know good sources for Tutorials or How To's for this issue, where I can get more information about that and see how I has to be set up?
  5. Grimson

    Grimson Networkin' Nut Member

    It's all in here:


    You could use super glue to glue the network cable into his laptop ;). This can only be solved on a social base, talk to him and either he is trustworthy and stops sharing the connection or he won't get a connection at all.
    Last edited: Aug 16, 2014
  6. aceton

    aceton Network Newbie Member

    Thank you very much Grimson for your help. "Superglue" is a charming idea :) will think about that :)

    No, thank you for the great link. I just scrolled through it and I think I will find my answers there. Great!

    So, thank you all for the answers and have a nice weekend!
  7. Siff

    Siff Serious Server Member

    You can limit the number of hops to the same subnet (i.e. set the TTL to 1), but there are easy workarounds to this as well.

    He can share his Windows connection with others as well...

    Anyway, as Grimson suggested, the best way to resolve this issue is on social base. Think of what issues your neighbour is causing you by sharing the connection (hogs it, consumes too much data, etc.) and talk with him. At the end of the day he is using your connection and it is only polite to comply with the rules you set. If he doesn't, you can either set the appropriate limits on the VLAN he is using or cut "the cord" completely.

    Hope this helps.
  8. Toastman

    Toastman Super Moderator Staff Member Member

    Access restriction by MAC address works with 99.99% of people, because few have the knowledge to get around it. We tend to forget that. However ... there really is no way to stop genuinely knowledgeable persons from using your network if they are determined enough. Anything you try can be circumvented eventually. In my experience you are wasting your time trying to appease him, just cut him off completely if you can :rolleyes:Anything else, he will take as a personal challenge. Get firm, after all, he is basically a liar and a cheat.

    Knocking his teeth out might help.
    kthaddock likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice