Many router owners face situations where they need to restrict access to their local network. This could be due to password theft, the desire to limit children's internet access at certain times, or the need to block a neighbor's device if they've cracked their encryption keys. Keenetic A flexible connection management mechanism has been implemented, which allows you to instantly terminate the connection with any client.
Unlike simple router models, which often require a complete password change and reconnection of all gadgets, solutions Zyxel Keenetic offer a more elegant solution. You can selectively block specific devices while leaving the network accessible to other users. This is achieved using blacklisting and hardware address filtering.
The access restriction procedure does not require in-depth knowledge of network protocols. The operating system interface KeeneticOS It's intuitive and allows you to complete the necessary steps in just a few minutes. All you need is access to the router's admin panel and an understanding of which device needs to be isolated from the network.
Identifying the device to be blocked
Before setting up restrictions, you need to determine exactly which device you want to disable. The router's client list can display dozens of devices, and it's important not to accidentally block your own smartphone or laptop. The first step is to log in to the router's web management interface.
Open your browser and enter in the address bar my.keenetic.net or the gateway IP address, usually it is 192.168.1.1After logging in, go to the system's main page. This displays a network diagram and a list of all active connections. Find the suspicious or target device in the list by name or MAC address.
If the device name is unreadable (for example, android-1234abcd), use a list of trusted devices to eliminate the intruder. You can also temporarily disable WiFi on your devices and see which connection disappears from the list of active ones. Accurate identification is critical for proper security settings.
- 📱 Check the list of connected clients on the web configurator's main page.
- 🔍 Compare the MAC addresses in the list with the labels on the physical devices.
- 📡 Make sure that the device is connected via WiFi and not via a LAN cable.
Modern router models Keenetic (series Giga, Peak, Ultra) allow you to assign persistent names to devices directly in the interface, simplifying future management. If you're seeing a device for the first time, you can name it "Unknown Device" for tracking in logs.
Setting up a MAC address blacklist
The most reliable way to permanently disconnect a device from WiFi is to use a MAC address blacklist. This method operates at the data link layer of the OSI model, making it effective regardless of the encryption type used or the client's IP address. The router simply ignores connection requests from devices whose addresses are on the blacklist.
To activate this feature, go to the menu My Networks and WiFi and select the sub-item Access lists (or MAC filter (in older firmware versions). Here you need to switch the filtering mode to the position Ban (Blacklist). In this mode, the router will allow access to everyone except those specified in the list.
However, for a one-time blocking it is more convenient to use the mode Allow (Whitelist) with inverted logic or simply add the address to the blacklist, if such an option is highlighted separately in your version KeeneticOSIn current interfaces, simply find the device in the client list and click the "Block" button or the block icon.
☑️ MAC filter blocking algorithm
Once an address is blacklisted, the connection to the device will be immediately terminated. Even if the user knows the correct WiFi password, the router Keenetic will reject the association attempt. This is the most effective method of combating "freeloaders" and unauthorized access.
⚠️ Warning: MAC addresses can be spoofed (cloned). If you suspect an advanced user who can clone the address of your trusted device, blocking the MAC address alone will not be enough—you will need to change the WiFi password.
Using a guest network for isolation
An alternative and often more convenient way to restrict access is to set up a guest network. Instead of blocking a specific device, you can redirect all new or suspicious connections to a separate virtual interface with limited permissions. This is especially useful for apartments where guests frequently visit.
In routers Keenetic The guest network is configured in the section My Networks and WiFi → Guest networkActivate this network segment, assign it a separate name (SSID) and, optionally, a separate password. The main advantage here is the ability to isolate guests from your main local network.
Devices on the guest network won't see your shared folders, network printers, NAS storage, or other computers. This provides an additional layer of security. If you want to disable a device but are worried about misconfiguring the blacklist, simply change the main network password and share the new password only with trusted people, leaving guest access for everyone else.
| Parameter | Main network | Guest network | Blacklist |
|---|---|---|---|
| LAN access | Full | Prohibited | Depends on the device |
| Speed | Maximum | Limited | Zero |
| Difficulty of setup | Low | Average | Low |
| Data security | High | Maximum | Average |
Using a guest segment also allows you to apply separate parental control rules and time limits without affecting the main network. You can set up automatic shutdown of guest Wi-Fi according to a schedule, such as at night.
What is the difference between client isolation and guest networking?
Client Isolation prevents devices within the same network from seeing each other but still allows internet access. A guest network is a separate logical interface with its own security settings and access to LAN resources.
Scheduled access restrictions
Often, you don't need to completely turn off a device, but rather limit the time it spends online. Functionality KeeneticOS Allows you to create access profiles based on time of day and day of the week. This is the ideal tool for parental controls or restricting gaming consoles.
To configure, go to the section Security → Internet access (or Priorities and limitations). Here a new rule is created, which specifies the target device (by MAC address) and the time interval when access should be denied or allowed.
You can create a "Night" or "Study" profile, which will block network access from 11:00 PM to 7:00 AM or from 8:00 AM to 3:00 PM, respectively. Applying this profile to a specific device ensures that it will physically be unable to transmit data through the router during the specified time, even if a connection is formally established.
- 🕒 Create a schedule profile in the router's security section.
- 📵 Bind the profile to the MAC address of the target device.
- ✅ Activate the rule and test its operation at the specified time.
It is important to keep in mind that the time on the router must be synchronized correctly. Usually Keenetic It receives time from your ISP or via NTP servers automatically, but it's worth checking the settings during power outages. If the time is out of sync, the blocking schedule may not work correctly.
Forced connection termination
Sometimes a situation arises when you need to "kick" a device off the network right away, without waiting for a reconnection or password change. In the interface Keenetic A forced session disconnection feature is available. This is especially useful if the device is stuck connected but not actually transmitting data, or if you've just changed security settings.
While in the client list (Client list (On the main page or in the WiFi section), find the device you need. Next to its name or IP address, there's often a button or icon resembling a circle with a line through it or a lightning bolt. Clicking this initiates sending deauthentication packets to the client device.
After this, the gadget will lose connection to the access point. If the router's security settings haven't been changed (the password remains the same and the MAC filter isn't enabled), the device will attempt to reconnect automatically. Therefore, this method is effective in conjunction with changing the password or enabling a blacklist.
⚠️ Note: Force disconnect may not work on devices with a stable signal if they ignore deauthentication packets, although in most cases the method works without fail.
For a more in-depth analysis, you can use the system logs. Go to System → Magazine and filter events by module WiFi or AuthThere you can see attempts to connect to a blocked device and the reasons for access denial.
Additional WiFi network security measures
Blocking a specific device is a reactive measure. To minimize the need for such actions in the future, it's worth taking steps to prevent unauthorized access. Standard WPA2-Personal security is no longer considered completely secure, so modern routers Keenetic support more robust protocols.
It is recommended to switch to encryption. WPA3 or mixed mode WPA2/WPA3This security standard significantly complicates brute-force password guessing. It's also a good idea to disable the WPS feature, as it's a known vulnerability that allows password protection to be bypassed.
Update your router software regularly. In new versions KeeneticOS Security holes are being closed and the stability of filtering mechanisms is being improved. Update checking can be configured automatically.
- 🔐 Use complex passwords (at least 12 characters, numbers, special characters).
- 🚫 Disable WPS in your wireless network settings.
- 🔄 Enable automatic router firmware updates.
Hiding your network name (SSID) is also a good practice if you want only those you've shared your network name with to know about your WiFi network. However, keep in mind that this doesn't provide 100% protection, as professional scanners will still detect the signals.
Is it possible to disable the device via the Keenetic mobile app?
Yes, in the official app Keenetic (available for iOS and Android) has client management functionality. You can see a list of connected devices and, by tapping on a specific device, choose to block or restrict access, if your router model and OS version support it.
What to do if a blocked device still connects?
This means the device's MAC address has been changed (cloned) or the blacklist settings haven't been saved. Try changing the WiFi password and encryption type completely. Also, check if WPS is enabled, which may allow a connection without a password.
Does MAC blocking affect the speed of the rest of the network?
No, MAC address filtering occurs at the router driver and processor level and doesn't create a noticeable load. Internet speeds for other users won't change. In fact, disabling "freeloaders" can actually improve overall network performance.
How can I find out the MAC address of a device if it is not currently connected?
If the device has been connected previously, its MAC address may be stored in DHCP logs or in the list of known clients (static leases). Otherwise, it's impossible to find the MAC address remotely; physical access to the device is required to view it in the network settings.