How to share Wi-Fi by IP address only: access settings

Modern users often face the need to restrict access to their wireless network to prevent unauthorized connections from unauthorized devices. Standard WPA2 or WPA3 passwords sometimes seem insecure, especially if you suspect the encryption key has been compromised. In such situations, a logical question arises: is it possible to configure the router to accept connections only from pre-approved devices, ignoring all other requests?

Technically, the term “IP-only distribution” is a common misconception, since the IP address is assigned to the device already after A successful connection to the access point. However, there is a mechanism that can achieve the desired result: MAC address filtering combined with static IP assignment. This method allows you to create a strict whitelist, allowing access only to those whose hardware is included in the router's database.

In this article, we will examine in detail how to implement such protection in practice, what are the nuances of working with DHCP server And why simply hiding your SSID isn't enough for true security. You'll learn how to set up static bindings and understand how to turn your router into an impenetrable fortress accessible only to your devices.

How filtering and static IP work

Before proceeding with the setup, it's important to clearly understand the architecture of the connection process. When a device attempts to connect to Wi-Fi, it goes through several authentication steps. First, encryption keys are exchanged, then an IP address is requested via the protocol. DHCPIf you want your network to operate "only via IP," you're essentially configuring your router to only assign MAC addresses to those MAC addresses that are entered into the static assignment table.

Each network interface has a unique identifier - MAC addressIt's programmed by the manufacturer and, unlike the IP address, doesn't change when reconnecting (unless the user specifically enables randomization). This identifier is the basis of the entire access control system. The router checks the incoming request against an internal list and either grants access or denies it, even if the Wi-Fi password was entered correctly.

It's important to note that setting a static IP address for each device isn't just a security measure, but also a way to simplify network management. When addressing becomes predictable, it's easier to configure port forwarding, set up local servers, or restrict access to specific resources for specific devices.

⚠️ Attention: Router interfaces from different manufacturers (Asus, TP-Link, Keenetic, MikroTik) can vary significantly. Menu item locations often change after firmware updates. If you can't find the exact function name you need, look for sections labeled "Filter," "Access Control," or "Static DHCP."

Implementing this system requires discipline: you must manually register each new device on the network. If you buy a new smartphone or have guests over, they won't be able to connect without a trace—the network administrator will have to physically take their device, find out its MAC address, and make changes to the router's configuration.

Preparing for setup: collecting device information

The first step in creating a secure network is inventory. You need to obtain the exact MAC addresses of all devices you plan to allow access to. This can be done directly in the device's settings or through the interface of an already connected router.

On smartphones running Android or iOS This information is often hidden in deep menus. Furthermore, modern operating systems use a "Private Wi-Fi Address" feature by default, which generates a random MAC address for each network. For our scheme to work, this feature must be disabled so that the device uses its real, permanent identifier.

📊 Do you use the "Private Wi-Fi Address" feature on your phone?
Yes, always on
No, it's disabled.
I don't know what this is
I'll check the settings right now.

To obtain a list of connected devices, you can use standard operating system tools. Below are the paths where the required information is typically located:

  • 📱 Windows: Open command prompt and enter the command ipconfig /all, then find the "Physical Address" section.
  • 🍏 macOS: Go to System Preferences → Network → Wi-Fi → Advanced → Hardware tab.
  • 🤖 Android: Go to Settings → About phone → Status or Wi-Fi network properties.
  • 🍎 iOS: “Settings” → “General” → “About this device” (line “Wi-Fi address”).

Write down all addresses in the format XX:XX:XX:XX:XX:XXEven a single digit error will prevent the device from accessing the network. It's best to create a table listing the device name, its user, and the corresponding MAC address.

☑️ Collecting data for whitelisting

Completed: 0 / 5

Setting up static DHCP on a router

After collecting the data, you need to log into the router's web browser. This is usually done by entering the address 192.168.0.1 or 192.168.1.1 In your browser, find the section responsible for your local area network (LAN) or DHCP server. We're looking for a feature often called "Static DHCP," "Address Reservation," or "IP Binding."

The essence of the setup is to assign a specific IP address to a specific MAC address. For example, you decide that your laptop will always receive the address 192.168.1.10, and the TV is 192.168.1.20The router will see a request from a known MAC address and issue a reserved IP.

Example of an entry in the static DHCP table:

MAC: 00:1A:2B:3C:4D:5E -> IP: 192.168.1.10 (PC_Main)

MAC: AA:BB:CC:DD:EE:FF -> IP: 192.168.1.11 (Phone_User1)

If your router model does not have an explicit “Static DHCP” function in the LAN section, this can be implemented through the “Addressing” section or even through the settings ARP tables, although the latter option is more difficult for beginners. The main thing is to ensure that the router "recognizes" your devices.

Device MAC address (example) Reserved IP Status
Work laptop 00:11:22:33:44:55 192.168.1.10 Active
iPhone smartphone AA:BB:CC:DD:EE:01 192.168.1.11 Active
Smart TV Samsung 11:22:33:44:55:66 192.168.1.20 Waiting
Android tablet AA:BB:CC:DD:EE:02 192.168.1.12 Active

After entering all the entries, be sure to save the settings and reboot the router. Verify that your devices have reconnected and received the IP addresses you assigned them. You can check this in the computer's command line using the command ipconfig.

What to do if IP is not assigned?

If the device doesn't receive a reserved IP address after rebooting, try running a network reset command on the device itself. In Windows, this is "netsh int ip reset," and in Android, "Reset network settings." Sometimes, temporarily disabling the static IP feature on the client itself can help, if it was previously manually set.

MAC address filtering (Whitelist)

The most important step is enabling strict filtering. This tells the router, "Allow Wi-Fi connections only to those on the list, and deny all others." This feature is usually found in the "Wireless," "Wi-Fi Settings," or "Security" sections, under the heading MAC Filter, "Access Control" or "Client Filter".

You need to select the filter mode. There are usually two: "Blacklist" and "Whitelist." For our purposes, choosing the mode is critical. Whitelist (Allow listed only). In this mode, the router by default blocks all connection attempts except those whose MAC addresses are listed in the table.

Add the same MAC addresses you used for static DHCP to the filtering table. Some routers allow you to automatically add currently connected devices to the filter with one click, which significantly speeds up the process. After activating this mode, all devices not on the list will see the network, but will receive an "Incorrect password" or "Unable to connect" error when attempting to enter a password.

⚠️ Attention: Be extremely careful when enabling whitelist mode. If you accidentally forget to enter the MAC address of the device you're currently managing the router from (or that's connected via cable), you may lose access to the settings. It's best to configure this from a device connected via LAN cable or with a way to reset the router using the Reset button.

Once filtering is enabled, the network becomes effectively closed. Even with the Wi-Fi password, an attacker won't be able to connect because their MAC address isn't on the trusted list. This creates a double barrier: WPA2 encryption and address filtering.

Additional wireless network security measures

While MAC filtering and static IP addresses significantly enhance security, they shouldn't be relied upon alone. MAC addresses can be easily spoofed (cloned) using specialized software if an attacker knows the address of a trusted device. Therefore, a comprehensive approach is recommended.

First, make sure you're using a modern encryption standard. In your wireless network settings, select the mode WPA2-PSK [AES] or, if all devices support it, WPA3Outdated WEP or WPA/TKIP protocols can be cracked in minutes, rendering any filtering useless.

  • 🔒 Complex password: Use a long combination of letters, numbers, and special characters. The password must be unique and not used on other websites.
  • 📡 Disabling WPS: The WPS (Wi-Fi Protected Setup) feature has known vulnerabilities. Find the WPS option in the settings and set it to "Disabled."
  • 👁️ Hiding SSID: You can hide the network name so it doesn't appear in the list of available networks. However, this is inconvenient for legitimate users and doesn't offer much protection against cybercriminals.

It's also worth considering the AP Isolation feature if you need it. It prevents devices within the network from seeing each other, but for home use with printers and media servers, this may be inconvenient.

Possible problems and solutions

When implementing a strict access policy, you may encounter a number of technical difficulties. The most common issue is devices with MAC address randomization. As mentioned earlier, modern smartphones (iPhones with iOS 14+, Android 10+) change their MAC address by default when connecting to new networks. As a result, the router sees the "new" client and blocks it, since the old address is whitelisted.

There's only one solution: on each client device, in the specific Wi-Fi network settings, find the "Private Address" or "MAC Randomization" option and switch it to "Off" or "Use Device Address." Only then will the router recognize the MAC address and allow the device to connect to the network.

Another problem is guests. If you have friends over, you can't just give them the password. You'll have to:

  1. Temporarily disable MAC filtering (unsafe).
  2. Or create a guest network (Guest Network) with a separate name and password, not protected by filtering.
  3. Or manually enter the MAC address of the guest's phone into the router settings (time-consuming and inconvenient).

Using a guest network is the most civilized option. It isolates guests from your personal files and printers, but gives them internet access without having to reconfigure the main Whitlist each time.

⚠️ Attention: Some telecom operators provide routers with limited firmware functionality, blocking access to advanced security settings. If you can't find the settings you need, you may need to reflash the device to an alternative OS (such as OpenWrt) or upgrade to a more advanced router model.

FAQ: Frequently Asked Questions

Is it possible to bypass MAC address filtering?

Yes, an experienced user can change (clone) their device's MAC address to that of a trusted device if they know it. Special utilities are used for this. Therefore, MAC filtering is an additional, but not the only, line of defense. It's effective against random neighbors, but not against a targeted hacker attack.

Will my internet speed decrease after enabling static IP?

No, your connection speed won't change. Static IP assignment and MAC filtering are handled by router services with minimal CPU load. For home use, the difference in performance will be imperceptible.

What should I do if I sold my phone but its MAC address is still listed?

Nothing bad will happen. The new owner of the phone will likely reset the settings or use MAC randomization after receiving a new address. However, to keep the table clean and secure, it's recommended to periodically review the list and remove devices you no longer own.

Does this method work for smart home (IoT)?

Yes, this is even recommended. Smart lights, plugs, and cameras often have weak security. By placing them on a filtered network and isolating them from the internet (unless remote access is needed) or restricting their permissions, you can significantly increase the security of your entire smart home system.