100

Feature request: MAC address filtering

Are you planning on implementing MAC address filtering? I love your product and recently started using it (got 2 eeros covering my 2500 sq/ft home). Your security approach is very much appreciated, but I believe having MAC address filtering provides additional level of security, as passwords can be breached. I understand that MAC addresses can also be spoofed, but it is much more difficult. If the password is not designed to be difficult enough to guess, once it is breached, the access to network is wide open, whereas with MAC address filtering, any device without the approved address will not gain access to the network.
On the eero app, (at the point of identification of all devices), it would be helpful to have an option to approve the device's MAC address or reject it if you do not recognize it.

70 replies

null
    • astrokid
    • 2 yrs ago
    • Reported - view

    I use a FingBox with my Eero Pro network to block all MAC addresses automatically until I choose to unblock them. 

    NOTE: I'm not a Fing shill and don't have anything to do with the company, I just use their device and like it

    I hope Eero adds this functionality in the future.  I already owned my FingBox for this use, way be fore I switched to Eero.  If that were not the case, I'd be more annoyed in spending $100 on a FingBox to add a feature which really should already be in place and free to us on Eero.

    Normally FingBox is available on Amazon, but currently out of stock (due to the covid related global chip shortages I assume).  It's a $100.00 device, but it works awesome for what I needed.  With it in place, you just tell your son and their friends 1) they have to disable MAC randomization on their devices, 2) you then tell FingBox to allow their true MAC address and your done.  If they turn randomization back on or try to spoof the MAC address, FingBox auto blocks all new MAC addresses you don't specifically white list, so the moment they try to circumvent it, they are offline again.

    No need to scrap Eero, no need to set to bridge mode and get another router.  Sucks to have to add $100 device to my network for this functionality, but here is hoping they'll add it in the future.

    To my knowledge FingBox is still in production and will be back in stock at some point, but for now its hard to purchase...because covid.

      • zengeist
      • 2 yrs ago
      • Reported - view

      Thanks, astrokid, I think I can get a FingBox, but I don't understand where it would connect to my eero systems. I am currently using one eero Pro 6 for gateway connected to one eero Pro and two eero Pro 6 on ethernet, and one eero Pro on wifi. For another location I have an eero Pro gateway connected to two eero Pros on wifi. Any help on this would be greatly appreciated.

      • zengeist
      • 2 yrs ago
      • Reported - view

      astrokid BTW, I tried putting a TP Link router in front of the gateway eero, but it wouldn’t let me white list the eero, saying “device not supported”

      • zengeist
      • 2 yrs ago
      • Reported - view

      astrokid Is it necessary to put the eero in bridge mode?

    • tebaroni
    • 1 yr ago
    • Reported - view

    Most devices now come with a feature spoof MAC addresses.  A very useful security feature would be to link hardware to security... which you can easily do by MAC address whitelisting.   This feature is not just for security.

    Profile controls on eeroOS limiting access to the Internet based on MAC address.  Spoofing (labelled Private Wi-Fi Address on iOS or Random hardware address on Windows 10) allows for those access controls to be circumvented by turning on the spoofing feature.  Then when the admin recognizes that this has happened, that new, random MAC address can be denied access.  The operator who has been thwarted at that MAC address need only to generate a new one, use the same password and be back in business.  My teens figured this out and I was alerted to it by the new device notifications from the Eero app.

    • Gstow
    • 1 yr ago
    • Reported - view

    Just installed an eero pro 6 and i can't believe there is no ability to manage the device. All you get is an informational interface. Not even simple MAC address filtering. Being able to block a device after it's already connected to the network is pretty much worthless. I'm returning this POS and getting a secure router.

      • Sr. Eero wireless engineer
      • Sdworman
      • 1 yr ago
      • Reported - view

      G-stow there is mac address filtering.

      • Gstow
      • 1 yr ago
      • Reported - view

      Sdworman Great! I hope so. How do you access it? Thanks, -G

    • ricardol
    • 1 yr ago
    • Reported - view

    Please add a MAC white list. Tired of chasing my children around with spoofed MAC addresses. When can we expect this done?

    • darrenjo
    • 1 yr ago
    • Reported - view

    as above...randomised mac addresses are removing any control I have over the Internet usage.

    • evansg98
    • 1 yr ago
    • Reported - view

    Agree that Eero needs to add MAC address whitelist capability so all new devices are automatically blocked until they've been vetted.  MAC address spoofing renders parental controls useless.

    • mcookacura23
    • 1 yr ago
    • Reported - view

    Eero definitely needs a feature to either have mac address filtering or automatic deny until approve type feature.  I have someone breaking the WPA2 encryption on the device and logging on, I can see unrecognized device and I can block it but then they just change mac addresses and log right back on.  I have changed my WPA2 password but same thing happens.  Having mac address filtering I could approve only my set of mac addresses or a deny until approve option would remedy this situation instead of me playing a cat and mouse game.

    • jmetheny
    • 1 yr ago
    • Reported - view

    I absolutely agree, having a mac address filter is probably the most important thing to add to this system. This should be an easy addition to add, and release in a update.

    • Synux
    • 1 yr ago
    • Reported - view

    Yes, we understand that a sophisticated user can get by MAC filtering.  Yes, we understand this is not a final solution.  That said, it would serve to stop basic abuses.  You can add it to ARP table and DHCP lease limitations to make a genuine service of denying unwanted users/devices.  You can do this.  You know how to do this.  You have heard loud and clear for more than five years that this is desired.  Do it.

    • Sr. Eero wireless engineer
    • Sdworman
    • 1 yr ago
    • Reported - view

    Mac address filtering is more of a security risk than anything else.

    This is a high demand request for enterprise networks and not home use.

    Chances of this happening with eero are slim.

      • Synux
      • 1 yr ago
      • Reported - view

      Sdworman Eero could simply apply the same kind of auth we find in any 2FA setups.  When a new device supplies the WPA it sends a request to the owner's phone for approval.  No approval, no access.

    • rileyjohngibbs
    • 8 mths ago
    • Reported - view

    I let a neighbor's guest hop onto my Wifi as a favor because they couldn't get hold of my neighbor. I'd rather they didn't connect to my Wifi anymore without my knowledge, but since they have an iPhone that has MAC spoofing by default, I have no way to block them.

    I'd really like to be able to block or pause new devices by default, then have a notification they've joined so I can unblock or unpause them.

    This seems like such an obvious feature that I thought it existed already! I was surprised to find out that it doesn't.

      • Sr. Eero wireless engineer
      • Sdworman
      • 8 mths ago
      • Reported - view

      rileyjohngibbs first issue is you gave out the WIFI SSID and password.  Change the SSID and password.  As for MAC address filtering - since both Android, IOS, and now Windows 11 can randomize MAC addresses it's challenging to block.  There is a need more now for an allow list.

    • davidandrew
    • 4 mths ago
    • Reported - view

    This feature request is not worth the time and should be put in the "not planned" category. I'm sure those at Eero know this already. 

    For those of you who are not aware: A wireless network card can be put in monitor mode which allows it to passively listen to network traffic without connecting to your network. You can see the MAC addresses of the authenticated or allowed devices and then spoof that address, allowing you to bypass MAC filtering. The access point will read your MAC address and assume that you are an allowed device.


    Being able to set alerts/notifications when new MACs join the network (or even when known MACs join the network) would be nice to have.

      • Bwerrington
      • 3 mths ago
      • Reported - view

      Most of us in this community want the feature of “block all new Mac addresses by default” for parental controls as our kids are sophisticated enough to spoof them with new addresses to circumvent the time restriction controls.  

Content aside

  • Status Under Consideration
  • 100 Votes
  • 3 mths agoLast active
  • 70Replies
  • 6152Views
  • 57 Following