Problem with randomized MAC address on cellphone

Started by pankaj, March 25, 2021, 02:31:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 25, 2021, 02:31:17 AM
Hi,
I have a Orbi router connected to a L2 switch and Orbi is running in AP mode so all DHCP assignments for wireless clients are done via OPNSense. On both Android and iPhone there is an option under WiFi to use phone MAC or a randomized MAC, I understand that the latter is more secure.

There are no host specific rules on WiFi VLAN and for now I have allowed pass everything to keep things simple. It works fine when I use phone MAC address but when I switch to randomize MAC on cellphone, the device gets the correct IP assignment (with WiFi VLAN subnet) but does not get internet access.

Is there an explanation for this behavior?
July 26, 2021, 06:12:43 AM #1
got the same problem with opnsense, pfsense no problem for me. using TPRE450 as AP mode
July 26, 2021, 03:08:12 PM #2
Quote from: pankaj on March 25, 2021, 02:31:17 AM
On both Android and iPhone there is an option under WiFi to use phone MAC or a randomized MAC, I understand that the latter is more secure.

Randomized MAC has nothing to do with security it's only related to privacy. So, there is no need, to use randmomized MACs in your private network.

Quote from: pankaj on March 25, 2021, 02:31:17 AM
It works fine when I use phone MAC address but when I switch to randomize MAC on cellphone, the device gets the correct IP assignment (with WiFi VLAN subnet) but does not get internet access.

I recommend a packet dump of both scenarios and to check the difference.

OPNsense 24.7.11_2-amd64
July 26, 2021, 04:48:15 PM #3
is "Enable Static ARP entries" active in the DHCP settings? (help of that settings says: This option persists even if DHCP server is disabled. Only the machines listed below will be able to communicate with the firewall on this NIC.)
July 26, 2021, 05:13:13 PM #4
As far as privacy is concerned: randomised MAC addresses are not necessary for IPv6 privacy. Privacy extensions should take care of that. Randomised MACs are intended to protect against malicious access points that track their users across APs and locations.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 26, 2021, 06:31:00 PM #5


Quote from: pmhausen on July 26, 2021, 05:13:13 PM
Randomised MACs are intended to protect against malicious access points that track their users across APs and locations.

Exactly. That is used against all kinds of position tracking by ad tech.

You can open the white paper on that page to view the PDF.
https://meraki.cisco.com/solutions/location-analytics

The MAC address is only randomized while scanning for SSIDs. When you connect to one, the MAC will not change. It can then be the original MAC address or it stays at the same random one.

July 27, 2021, 07:54:43 AM #6
Dear PankaJ,

I have noticed this also! I have opnsense configured with:
Deny unknown clients - on
Ignore Client UIDs - on
Static ARP - on

All devices are in the "DHCP Static Mappings for this interface."  list.

When my devices update, like iPhone, appletv, MacBook, iot, etc, all keeps working fine BUT when my son updates his e.g. his iPhone to a beta version of iOS that iPhone connects to wifi but gets no data/internet.
I have to delete his iPhone and connect it again with static ip. It looks like the same problem you are experiencing. Is this a bug in opnsense or in my understanding how my "closed network settings" work?
Deciso DEC850v2
July 27, 2021, 08:07:39 AM #7
I think this is how you can effectively block the MAC randomisation from being used...


Cheers,
Franco
Print
Go Up Pages1
User actions