Many home internet users are familiar with the situation of unauthorized devices connecting to your wireless network. You notice a drop in speed or sudden connection interruptions, even though your data plan allows for comfortable use. This is often caused by neighbors who, with knowledge of the password, are illegally using your connection.
The most effective method of protection in this case is MAC address filteringThis unique identifier is assigned to the network adapter of each device at the factory and allows the router to unmistakably distinguish your smartphone or laptop from hackers' devices. Unlike a password, which can be guessed or intercepted, a hardware address is much more difficult to forge.
In this article, we'll take a detailed look at how to configure whitelists and blacklists in your router interface. You'll learn how to find the physical addresses of your devices, block unwanted users, and create reliable security for your local network. MAC address filtering operates at the data link layer protocol level, making it effective even if your Wi-Fi password is known to outsiders.
Understanding How MAC Filtering Works
Every network device, whether it is Android smartphone, laptop with Windows A smart plug, or smart plug, has a unique 48-bit identifier. This code tells the router who to send data to. Filtering is based on comparing the incoming device's address with a list of allowed or blocked addresses stored in the router's memory.
There are two main modes of operation for this feature. The first is the "Blacklist" mode, which allows access to everyone except those on the block list. The second is the "Whitelist" mode, which is more restrictive and secure. In this case, Only devices whose addresses are included in the permissions table have access to the network, and all the rest are ignored by the router.
Using whitelists requires more time for initial setup, as you'll have to manually enter each new user's details. However, it ensures that even if someone learns your Wi-Fi password, they won't be able to connect without physical access to your computer to add it to the trusted list.
It is worth noting that modern operating systems such as iOS And AndroidBy default, most routers use the "Private Wi-Fi Address" or "MAC Randomization" feature. This means the device can generate a random address each time it connects to a new network to protect your privacy. In this case, you'll need to either disable this feature on your home network device or enter a new random address in the router settings each time.
⚠️ Caution: When enabling Whitelist mode, you may lose access to your router settings if you don't add your computer or phone's MAC address beforehand. Always add the current device to the whitelist before activating filtering.
How to find the MAC address of devices on the network
The first step before setting up your router is to gather information about legitimate devices. You need to find out the physical addresses of all devices that need internet access. The easiest way to do this is through the router's web interface, which displays all active connections.
Log into your router's admin panel, usually accessible at 192.168.0.1 or 192.168.1.1. Find the section that may be called Status, Network map or Client list (Client List). There will be a table with connected devices, their IP addresses, and MAC addresses. Copy your device addresses into a notepad.
If your router doesn't display the required information or you want to check the address of a specific device directly, you can use the built-in operating system tools. Below are the commands and paths for the main platforms:
- 📱 Android: Go to
Settings → About phone → General informationor in the Wi-Fi connection properties. - 🍎 iOS (iPhone/iPad):
Settings → General → About(Note that Wi-Fi may use a private address). - 💻 Windows: Open command prompt and enter the command
ipconfig /all, then find the line "Physical Address". - 🖥️ macOS: Go to
System Preferences → Network → Wi-Fi → Advancedand look at the "Wi-Fi address" field.
Write down the received 12-digit codes (format XX:XX:XX:XX:XX:XX). Be careful when entering the data into the router: although case-insensitive (AF or af) is usually irrelevant, it's important to ensure you don't mistype a single digit, otherwise the device will be denied access.
Setting up filtering on TP-Link routers
Router interfaces TP-Link These settings may vary depending on the firmware version and year of manufacture of the device. Newer models with a blue interface have the same setup logic, but the item names may vary. Older models with a green interface require a slightly different approach.
To get started, log in to the web interface. Find the section in the left-hand menu or in the top tab. Wireless mode (Wireless). Inside you are interested in the subsection MAC address filtering (Wireless MAC Filtering). This feature is usually disabled by default.
Click the button Add (Add New). In the window that opens, enter the device's MAC address copied earlier. In the Description field, enter a descriptive name, such as "Ivan's Laptop" or "Samsung TV." Make sure the Status is set to Included (Enabled).
After adding all trusted devices, you need to select a filtering rule. These are usually radio buttons at the bottom of the page:
- 🔴 Prohibit: The devices specified in the list are denied access (the rest are allowed).
- 🟢 Allow: Only devices specified in the list are allowed access (others are prohibited).
Select the "Allow" option for maximum protection. Then click the button Turn on (Enable) in the main filtering menu and save the settings with the button Save (Save). The router may reboot or lose connection for a short time.
☑️ Checking TP-Link settings
Instructions for D-Link and Asus routers
Routers D-Link And Asus also have powerful network security tools, but they are located in different parts of the menu. In devices D-Link (especially in the DIR series) the tab is often used Wi-Fi -> MAC filter.
In the D-Link interface, you'll see a list of rules. Click "Add," enter the address, and select an action. Important: in some older D-Link firmware versions, you must first create a rule, then in the "Settings" tab (or at the top of the page), check "Enable MAC filter" and select "Allow only those listed."
At routers Asus With AsusWRT firmware the path looks like this: Wireless network (Wireless) -> tab MAC address filter (MAC Filter). The interface here is more intuitive. You select "Accept" or "Reject." The list of devices can often be populated simply by selecting them from the list of currently connected clients, which is very convenient.
In routers Asus The "Wireless Client List" feature is also available, allowing you to add a device to the filter with one click by simply clicking the corresponding button next to the device name. This eliminates the need to manually enter long hexadecimal codes and reduces the risk of error.
After setting up, don't forget to press the button Apply (Apply) or OKIf you've configured a whitelist but forgot to add the current device, it will be disconnected from the network. In this case, the only solution is to reset the router using the Reset button or connect via LAN cable if cable filtering isn't enabled.
What to do if you've blocked yourself?
If you enabled the "Whitelist" and haven't added your computer, Wi-Fi will stop working. Connect to the router via an Ethernet cable (LAN), go to the settings, and disable filtering or add your MAC address. If you don't have a cable connection, you'll need to perform a full reset of the router using the button on the device.
Comparison of wireless network security methods
MAC address filtering isn't the only security method. Users often rely solely on complex WPA2/WPA3 passwords. However, a combination of methods provides the best results. Let's compare the effectiveness of different security approaches.
| Method of protection | Security level | Ease of use | Difficulty of bypassing |
|---|---|---|---|
| Hidden SSID | Short | Low (manual name entry) | Very easy (traffic scanning) |
| WPA2/WPA3 password | Medium/High | High (automatic) | Difficult (requires brute force or sniffing) |
| MAC filtering | High (in combination) | Average (new devices need to be added) | Average (requires address cloning) |
| Guest network | High | High | High (segment isolation) |
As the table shows, relying on just one method isn't a good idea. Hiding the network name (SSID) only provides an illusion of security, as professional scanners easily detect such networks. A password is a basic defense, but it can be cracked with weak combinations.
MAC filtering This serves as an excellent additional barrier. Even if a hacker intercepts the password, they would have to clone the MAC address of the trusted device, which requires more technical knowledge and specialized software. However, this method does not protect data within the network from interception unless encryption is used.
For maximum security, it is recommended to use a combination of a complex WPA3 password, MAC filtering, and disabling WPS. Creating a separate Guest network for visitors, which is isolated from your main local network with personal data.
Common problems and solutions
Users may encounter a number of difficulties when setting up filtering. The most common issue is that the device won't connect, even though the address is correctly whitelisted. This is often due to the MAC address randomization feature in modern smartphones.
If you have iPhone or fresh Android, go to the Wi-Fi settings on your phone, click the information icon (i) or the gear next to your network and find the "Private Wi-Fi Address" option. You need to turn off for your home network, so that your phone uses its real physical address, which you entered into the router.
Another problem is changing the address after updating drivers or the system. In rare cases, the network adapter may generate a new address. It's also worth remembering that the MAC addresses for Wi-Fi and Ethernet (LAN) are always different for the same device. You need to enter the address for the wireless module.
⚠️ Note: Router interfaces are constantly updated by manufacturers. The location of menu items may differ from that described in the instructions. Look for sections labeled "Wireless," "MAC Filter," "Access Control," or "Network Security."
If you use the function WPS For a quick connection, it may conflict with or bypass MAC filtering. It is recommended to completely disable WPS in your wireless network settings, as this protocol is considered vulnerable.
Is it possible to bypass MAC filter?
Theoretically, yes. An attacker could eavesdrop on the air, see the MAC address of an authorized device (when its owner is connected), and clone it using their adapter. However, this requires time and skill, making the attack impractical for simply stealing a neighbor's internet connection.
FAQ: Frequently Asked Questions
Will the MAC address filter be reset when I reset my router?
Yes, a full factory reset will erase all user configurations, including lists of allowed and blocked addresses. The default filter will be disabled.
Does MAC filtering affect internet speed?
No, device address verification occurs at the connection level and takes microseconds. This process has no impact on channel throughput or download speed.
What to do if a friend comes to visit with his phone?
You'll need to either temporarily disable filtering or (more effectively) find your friend's phone's MAC address in the router's client list and whitelist it. After they leave, you can remove the device from the list or leave it if they're a frequent visitor.
Is it possible to filter devices by name instead of address?
No, device names (Hostname) are often changed by users or can be standard (for example, "Android-123"). The MAC address is the truly unique and unchangeable (programmatically) identifier.