Restricting access to your home or office Wi-Fi network isn't just a security issue, it's also a way to control internet usage. Unauthorized devices can slow down your speed, consume bandwidth, or even pose a threat to your confidential data. In this article, we'll cover all the current methods for restricting access, from basic (network hiding) to advanced (filtering by MAC addresses and setup VLAN).
It's important to understand that there's no one-size-fits-all solution: for an apartment with two or three devices, a simple password will suffice, while an office with 50 employees will require a combination of methods. We'll look at options for routers from different brands— TP-Link, ASUS, Keenetic and others, and we'll also explain how to avoid common setup errors. If you're unsure, bookmark this article: it'll come in handy if you upgrade your router or if new threats emerge.
1. Basic methods: password and hiding SSID
The easiest way to restrict access is to set a strong password. However, many users still use standard combinations like admin or 12345678, which can be hacked in seconds. The optimal Wi-Fi password:
- 🔐 Length not less than 12 characters (preferably 16+)
- 📛 A combination of letters (upper and lower case), numbers, and special characters
- 🚫 No personal information (date of birth, pet name)
- 🔄 Regular change (every 3-6 months)
To change your password, go to the router's web interface (usually at 192.168.0.1 or 192.168.1.1>) and find the section Wireless Network (Wi-Fi) → Security SettingsSelect the encryption type. WPA3-Personal (or WPA2-PSK(if WPA3 is not supported) and enter a new password.
The second basic method is hiding the network name (SSID)In this case, your Wi-Fi won't appear in the list of available networks, and you can only connect to it manually if you know the exact name. However, this method doesn't provide 100% protection: experienced users can detect the hidden network using specialized programs (e.g., Wireshark or Acrylic Wi-Fi).
📊 What type of encryption does your Wi-Fi use?WPA3WPA2WPAWEPDon't know
⚠️ Attention: Hiding the SSID may cause connection issues with some devices (such as smart speakers or IoT gadgets). Check compatibility before setting up.
2. MAC address filtering: pros and cons
MAC address — is a unique identifier for a network device, assigned during manufacturing. MAC filtering allows only specific devices to access the network while blocking all others. This method is effective against random connections, but has limitations:
Advantages
Flaws
High locking accuracy
MAC addresses can be spoofed (spoofing)
Does not require additional software
It's inconvenient to add new devices
Works on all routers
Does not protect against evil twin attacks
To set up filtering, follow these steps (using the example TP-Link):
- Go to
Advanced Settings → Wireless Mode → MAC Filter.
- Turn on filtering and select the mode "Allow" (only the specified MAC addresses will be able to connect).
- Add the MAC addresses of your devices. You can find them in the network settings on each device or using the command
ipconfig /all (Windows) / ifconfig (macOS/Linux).
- Save the settings and reboot the router.
On ASUS the path will be different: Wireless Network → MAC Filter → EnableOn . Keenetic — Home Network → Segments → Wireless Network → Access Rules.
How to bypass MAC filtering?
An attacker can intercept the traffic of a legitimate device, find out its MAC address and replace it on his device using utilities like Technitium MAC Address Changer (Windows) or ifconfig (Linux/macOS).
3. Guest Network: Isolation without Blocking
If you need to provide Wi-Fi access to guests but limit their capabilities (for example, prohibit access to local resources or limit the speed), set up guest networkThis is a separate network with its own name (SSID) and password, isolated from the main one.
Benefits of a guest network:
- 🔒 Isolation from the main network (guests won't see your shared folders or printers)
- 📶 Ability to limit speed or access time
- 🔄 Easy to disable without changing the main settings
Setting up on TP-Link:
- Go to
Guest network (in the section Wireless mode).
- Enable the guest network and set a name (eg.
Guest_WiFi).
- Set a password (preferably different from the main one).
- In the section
Isolation of clients Enable the option to prevent guests from seeing each other.
- Limit speed (optional)
Bandwidth control) or working hours (Schedule).
On Keenetic The guest network is configured in the section Home Network → Segments → Guest NetworkHere you can also link the guest network to a separate VLAN, if your router supports this feature.
4. Parental controls: time and content restrictions
Parental controls allow you to restrict internet access for specific devices based on a schedule or block specific websites (social media, games, 18+ content). This feature is useful not only for families with children but also for offices that need to limit access to entertainment resources during work hours.
On routers TP-Link Parental controls are configured as follows:
- Go to
Additional settings → Parental controls.
- Add a device by MAC address or IP.
- Set a schedule (for example, blocking from 10:00 PM to 7:00 AM).
- If necessary, add prohibited sites (for example,
vk.com, twitch.tv).
On ASUS The functionality is broader: in the section Adaptive QoS → Parental Control You can not only block websites but also limit the speed for individual devices. For example, you can limit a child's bandwidth to 5 Mbps so they don't clog up their connection with online games.
For advanced users: some routers (eg. Keenetic or MikroTik) support integration with OpenDNS or CleanBrowsing — services that filter content at the DNS level. This allows you to block entire categories of websites (gambling, torrents, adult content) without manually adding each URL.
Find the MAC address of the target device|Create a scheduled blocking rule|Test the operation on a test site|Save settings and reboot the router-->
5. Advanced Methods: VLAN and Radius Server
For offices or large networks, basic methods are not enough. The following will come in handy:
- 🌐 VLAN (Virtual LAN) — dividing the network into virtual segments. For example, you can create separate VLANs for the accounting department, sales department, and guests, limiting communication between them.
- 🔑 Radius server — centralized authentication of users by login/password (for example, through FreeRADIUS). Suitable for companies with a large number of employees.
- 📡 802.1X — certificate authentication protocol (used in corporate networks).
Setting up VLAN using an example MikroTik:
/interface vlan
add interface=bridge name=vlan_guests vlan-id=10
/ip address
add address=192.168.10.1/24 interface=vlan_guests
Then in the Wi-Fi settings, link the guest network to vlan_guests.
For Radius servers a separate server will be required (can be deployed on Raspberry Pi) with installed FreeRADIUSOn the router you need to specify the server IP, port (usually 1812) and a secret key. When connecting to Wi-Fi, users will see a login/password entry window.
⚠️ Attention: Configuring VLANs and Radius requires extensive networking knowledge. Mistakes can lead to complete loss of network access. These methods are overkill for home use.
6. Additional measures: monitoring and blocking suspicious devices
Even after setting up all the restrictions, it's a good idea to periodically check which devices are connected to your network. Many routers display a list of clients in the "Clients" section. Wireless Mode → Statistics or DHCP clients.
If you find an unfamiliar device:
- Check its MAC address through services like MAC Vendors (shows the manufacturer by the first 6 characters).
- If the device is suspicious, add its MAC to the blacklist (section
MAC Filter → Block).
- Change your Wi-Fi password and reboot your router.
For automatic monitoring you can use the following programs:
- 🖥️ Wireless Network Watcher (Windows) - Scans the network and notifies you of new devices.
- 📱 Fing (iOS/Android) — shows all connected gadgets and their characteristics.
- 🌐 GlassWire — monitors traffic and identifies suspicious activity.
7. Common mistakes and how to avoid them
When restricting Wi-Fi access, users often make mistakes that can ruin all their efforts. Here are the most common ones:
Error
Consequences
How to fix
Using WEP encryption
The network is hacked in minutes
Switch to WPA3 or WPA2-AES
The password is too short
Brute-force password cracking
Set a password of 16+ characters
Lack of firmware updates
Router security vulnerabilities
Enable automatic updates
Using the standard admin login/password
An attacker can change the settings
Change your router login details
Another common problem is IP address conflictIf there are two devices on the network with the same IP, this may lead to a connection break. To avoid this, enable DHCP server on the router and make sure that all devices receive an IP automatically.
Critical error: many users forget to disable WPS (Wi-Fi Protected Setup). This feature simplifies connecting devices using a PIN code, but it has critical vulnerabilities. Disable WPS in your router settings (Wireless Network → WPS → Disable).
Frequently Asked Questions
Is it possible to limit the internet speed for a specific device?
Yes, this can be done through QoS (Quality of Service) or Bandwidth control in the router settings. ASUS this is called Adaptive QoS, on TP-Link — Bandwidth controlEnter the MAC address of the device and set the speed limit (for example, 5 Mbps).
How to block access to certain websites?
There are several ways:
- Through parental control in the router (add URL to the blacklist).
- Change
DNS server on OpenDNS or CleanBrowsing and set up filtering in their control panel.
- Use file
hosts on individual devices (for example, register 127.0.0.1 vk.com to block VKontakte).
What should I do if my neighbor hacked my Wi-Fi?
First, confirm the hack: check the list of connected devices in the router settings. If you find someone else's MAC address:
- Change your Wi-Fi password to a more complex one immediately.
- Enable MAC address filtering.
- Update your router firmware.
- If the hacking happens again, change it Wi-Fi channel (in wireless network settings) and turn it off
WPS.
As a last resort, reset the router to factory settings (button Reset on the back panel) and set it up again.
Is it possible to limit Wi-Fi access by time without parental controls?
Yes, many routers allow you to configure Wi-Fi operating scheduleFor example, on TP-Link this is done in the section Wireless Mode → ScheduleYou can specify days and hours when the network will be disabled (for example, from 00:00 to 6:00). This method blocks access for all devices, and not selectively.
How do I know who is connected to my Wi-Fi?
Verification methods:
- Via the router's web interface (section
DHCP clients or Wireless Network → Statistics).
- Using mobile applications: Fing (scans the network), WiFi Analyzer.
- Through the team
arp -a V Command line (Windows) or Terminal (macOS/Linux).
If you find an unfamiliar device, compare its MAC address with the manufacturer's database (for example, on the website MAC Vendors).