How to Block a MAC Address on a Wi-Fi Router: Step-by-Step Instructions

When an uninvited guest connects to your wireless network, or you want to restrict your children's internet access at specific times, hardware filtering is the most reliable tool. Blocking a specific device allows you to instantly disconnect, even if the Wi-Fi password has been compromised or shared with third parties. This isn't just a temporary measure, but a fundamental method for protecting the perimeter of your local network from unauthorized intrusion.

The method involves the router checking the unique network card ID of each connected device and comparing it against a list of allowed or blocked addresses. Unlike changing your password, which requires reconnecting all your personal devices, MAC address filtering Allows targeted disconnection of only intruders. Modern routers offer flexible access control tools, making the setup process accessible even to inexperienced users.

Before taking any decisive action, you need to clearly understand who exactly is on your network. Your router's admin panel typically displays a list of all active connections, showing device names and their current data transfer speeds. If you notice an unknown name or abnormally high traffic, this is the first sign that it's time to enable the blacklist.

What is a MAC address and why should it be blocked?

Media Access Control — is a unique identifier assigned to a network interface during manufacturing. It consists of 12 hexadecimal digits and, unlike an IP address, does not change when reconnecting to the network (unless randomization is used). This constancy makes it ideal for creating static access rules at the hardware level.

Blocking based on this feature is necessary when standard WPA2/WPA3 protection is insufficient or when you want to create strict restrictions. For example, in offices or dormitories where the password may be known to a wide circle of people. white list Ensures that only pre-approved equipment can connect. This creates a level of security that cannot be breached by simply guessing a password.

⚠️ Attention: MAC addresses can be spoofed. A skilled attacker with access to your network can copy the identifier of an authorized device and bypass the block. Use this method in conjunction with strong encryption.

There are two main approaches to filtering: Blacklist and Whitelist. In the first approach, you deny access to specific addresses while leaving the network open to everyone else. In the second approach, access is denied to everyone except those on the whitelist. The latter approach is significantly more secure, but requires manual configuration for each new device.

📊 What protection method do you plan to use?
Blacklist (prohibit specific)
Whitelist (allow only your own)
Just change your Wi-Fi password
I don't need this

How to find the MAC address of a connected device

To effectively block, you need to know exactly who you're blocking. The easiest way is to look at your router's web interface. The section responsible for wireless connections is often called Wireless, WLAN or Wi-Fi Clients. It displays a table with active connections, IP addresses, and searched identifiers.

If the device isn't currently connected to the network, but you know whose address you need, you can find it in the gadget's settings. On Android smartphones, the path usually goes through Settings → About phone → General information, and on iPhone through Settings → General → AboutIn Windows, you can get the information by entering the command in the command line ipconfig /all and find the line "Physical address".

Pay special attention to the "Private Wi-Fi Address" feature in iOS and Android 10+. If enabled, the device will generate a random MAC address for each network, making your blocking ineffective. For router-side filtering to work, the client device must use the real, factory-issued address.

Why can addresses change?

Modern operating systems use MAC address randomization to protect user privacy on public networks. This means that each time a device connects to a new access point, it presents itself with a new identifier. For a home network, it's best to disable this feature in the Wi-Fi settings for that specific connection.

TP-Link device interfaces may vary depending on the firmware version and menu color (green or blue/light blue). In older interface versions (green menu), you need to go to the Wireless and select a subsection Wireless MAC FilteringHere you need to activate the function by pressing the button Enable.

Next, you need to select a filtering rule. To block specific users, select the option Deny (Deny) or "Allow the stations specified by any enabled entries to access" (if the logic is inverted, read the button descriptions carefully). Then click Add New and enter the MAC address of the intruder in the format XX:XX:XX:XX:XX:XX.

In the new Tether interfaces (blue menu), the logic is similar, but the layout of the elements is different. Go to AdvancedWirelessWireless MAC Filtering. Make sure the function status is EnabledThe list of devices to block or allow is created separately. Don't forget to save the settings by clicking the button. Save, otherwise the rules will be reset after reboot.

☑️ Checking TP-Link settings

Completed: 0 / 5

If you have blocked yourself, you can only restore access via a LAN cable or by resetting the router settings using the button Reset.

Setting up filtering on ASUS and Keenetic routers

ASUS devices with ASUSWRT firmware have a user-friendly graphical interface. Go to the control panel and find the section in the left menu. Wireless network (Wireless). There will be a tab there. MAC address filterEnable filtering mode and select Reject to create a blacklist.

Keenetic (formerly ZyXEL) routers are renowned for their flexibility. In the web configurator, go to the menu My Networks and Wi-FiHome networkIn the client list, find the desired device and click on it. In the settings window that opens, you can simply toggle the "Internet access" slider to "Denied" or add the device to the block list.

Both manufacturers allow you to use a schedule. This means you can block access, for example, only at night or on weekends. flexible configuration Useful for parental control, allowing you to limit your children's time online without completely turning off the device.

Parameter TP-Link ASUS Keenetic
Menu section Wireless / MAC Filtering Wireless network My Networks and Wi-Fi
Blocking mode Deny Reject Access Denied
Address format XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX XX-XX-XX-XX-XX-XX
Preservation Save button Apply button Autosave

Using a whitelist for maximum protection

If your goal is to create an impenetrable fortress, use the "Allow Only" mode. In this mode, the router ignores all connection requests except those from addresses included in the database. This is the most secure method, as even with the password, an attacker won't be able to access the network.

Setting up a whitelist requires careful preparation. First, add all your devices to the list: phones, laptops, TVs, smart plugs. Only after the list is created and verified, enable strict filtering mode. An error at this stage could result in a complete loss of Wi-Fi in your home.

The main drawback of this method is the difficulty with guests. Every time friends come over, you'll have to manually add their devices to the allowed list via cable or from an already connected administrator device. It's best to create a separate SSID for the guest network, allowing guest access, isolated from the main network.

⚠️ Attention: Before activating "Allowed Only" mode, make sure the device you're using to configure the settings (PC or phone) is already whitelisted. Otherwise, you'll lose connection to the router immediately after applying the settings.

Problems and limitations of the locking method

Despite its effectiveness, filtering has its weaknesses. The main problem is MAC address randomization in modern smartphones. iPhones and Android devices can change their identifiers every time they connect to the network if the privacy protection feature is enabled. In this case, a blocked address will become invalid within a few minutes.

Furthermore, this method doesn't encrypt traffic. If an attacker manages to connect (for example, by bruteforcing the password or copying the MAC address of a legitimate device), they will gain access to data transmission unless WPA2/WPA3 encryption is used. Address filtering is just one layer of protection, not a panacea.

It's also worth keeping in mind that resetting a router to factory settings deletes all block lists. If the device is stolen or lost, an attacker could reset the settings and gain complete control. Therefore, the physical security of the router itself is also important.

Frequently Asked Questions (FAQ)

Will the lock be reset if the router loses power?

No, filtering settings are saved in the device's non-volatile memory. Once turned on, the router will automatically apply all previously set blocking rules and whitelists/blacklists.

Is it possible to block a device if it is currently offline?

Yes, you can manually add a MAC address to the blocked list if you know it in advance. The rule will take effect the next time the device attempts to connect to your network.

Does blocking a MAC address affect internet speed for other devices?

No, the filtering process occurs at the access control level and consumes virtually no router CPU resources. Internet speed for authorized users remains unchanged.

What should I do if I locked my phone and can't access settings?

The only way out is to connect the computer to the router using a LAN cable (if it is not blocked) or perform a full reset of the router settings using the Reset button, and then configure the network again.