Host alias with MAC randomization and split 2.4/5G SSIDs?

Started by OPNenthu, November 26, 2024, 10:43:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2024, 10:43:39 PM
Hi all,

I have an IoT network with some older devices that only support 2.4GHz but the network is shared with newer devices and mobile phones.  To get around this I have created two SSIDs for the subnet (IoT-2.4 and IoT-5).

Pertaining to the mobile phones, they need to sometimes connect to IoT-2.4 so that they can control the first-gen Google Chromecast devices.  For whatever reason they need to be on the same SSID to inter-operate and it's not enough to be on the same subnet.  Other times, they are on IoT-5 to take advantage of the bandwidth.

All is fine except I noticed that when the phones switch bands they may present with different MACs and thus new leases from the DHCP pool, so I cannot just add them to a rule alias for filtering.

The documentation specifies that a persistent random MAC should be used for the same SSID, except in some software-defined circumstances I think are outside my control.

I thought to just connect all the phones to each of the SSIDs one by one and then converting them to static leases.  I'm not sure how reliable this would be, but I would end up with 2x static leases per phone and the method seems a bit ridiculous (it certainly wouldn't scale, but that is not much of a problem in the home).

Are there better ways to track these clients in an alias?  I want to stick with WPA2 Personal because a Freeradius setup wouldn't be practical at home and I think many of the IoT things would be incompatible.
November 26, 2024, 10:58:30 PM #1
1. Concerning the division of your devices when they are on different SSIDs: This is most likely a misconfiguration, either by a bridge for your APs or by using a feature e.g. Unifi calls 'device isolation' in which you can isolate all devices on your WLAN just to see their gateway, but not one another.

2. Mobile phones nowadays use a kind of "privacy" by selecting a random (!) MAC per SSID in order to hide their true identify. Once you disable that feature on your phone, you will always get the same IP based on the (same) MAC.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 27, 2024, 11:25:22 AM #2
Thanks @meyergru

Quote from: meyergru on November 26, 2024, 10:58:30 PM
Once you disable that feature on your phone, you will always get the same IP based on the (same) MAC.

So that's the only good solution to keep the phones in an alias then?

Maybe I need to find another way to do my filtering so that I don't need this alias in the first place.  What I am trying to achieve in the short term is a network-wide block rule to known DoH servers, except for the phones because they are configured to use DoH always (privacy DNS setting in Android) for when away from home.

Ideally they would be using my own Unbound resolver in all cases, but for that I presumably need a persistent VPN tunnel.  Going to take more time and research.
Print
Go Up Pages1
User actions