MAC Address Filtering: What It Is and How It Works

Should you enable MAC address filtering on a router?

Should MAC authentication be enabled?

Lorenzo Carafo / Pixabay

Most broadband routers and other wireless access points include an optional feature called MAC address filtering, or hardware address filtering. It improves security by limiting the devices that can join a network. However, since MAC addresses can be spoofed or faked, is filtering these hardware addresses actually useful, or is it a waste of time?

Should MAC Authentication be Enabled?

On a typical wireless network, any device that has the proper credentials (knows the SSID and password) can authenticate with the router and join the network, getting an IP address and access to the internet and any shared resources.

MAC address filtering adds an extra layer to this process. Before letting any device join the network, the router checks the device's MAC address against a list of approved addresses. If the client's address matches one on the router's list, access is granted as usual; otherwise, it's blocked from joining.

How to Configure MAC Address Filtering

To set up MAC filtering on a router, the administrator must configure a list of devices that are allowed to join. The physical address of each approved device must be found and then those addresses need to be entered into the router, and the MAC address filtering option turned on.

Most routers display the MAC address of connected devices from the admin console. If not, use the operating system to do it. Once you have the list of MAC address, go into the router settings and put them in their proper places.

For instance, to enable the MAC filter on a Linksys Wireless-N router, go to the Wireless > Wireless MAC Filter page. The same can be done on NETGEAR routers through Advanced > Security > Access Control, and some D-Link routers in Advanced > Network Filter.

Does MAC Address Filtering Improve Network Security?

In theory, having a router perform this connection check before accepting devices increases the chance of preventing malicious network activity. The MAC addresses of wireless clients can't truly be changed because they're encoded in the hardware.

However, critics have pointed out that MAC addresses can be faked, and determined attackers know how to exploit this fact. An attacker still needs to know one of the valid addresses for that network to break in, but this too is not difficult for anyone experienced in using network sniffer tools.

However, similar to how locking your house doors will deter most burglars but not stop determined ones, setting up MAC filtering prevents average hackers from gaining network access. Most computer users don't know how to spoof MAC address or find a router's list of approved addresses.

MAC filters are not the same as content or domain filters, which are ways for network admins to stop certain traffic (such as adult and social networking sites) from flowing through the network.