MAC Address Filtering: What It Is and How It Works

Should You Enable MAC Address Filtering on a Router?

Should MAC authentication be enabled?

Lorenzo Carafo / Pixabay


Most broadband routers and other wireless access points include an optional feature called MAC address filtering, or hardware address filtering. It's supposed to improve security by limiting the devices that can join the network.

However, since MAC addresses can be spoofed/faked, is filtering these hardware addresses actually useful, or is it just a waste of time?

Should MAC Authentication be Enabled?

On a typical wireless network, any device that has the proper credentials (knows the SSID and password) can authenticate with the router and join the network, getting an IP address and access to the internet and any shared resources.

MAC address filtering adds an extra layer to this process. Before letting any device join the network, the router checks the device's MAC address against a list of approved addresses. If the client's address matches one on the router's list, access is granted as usual; otherwise, it's blocked from joining.

How to Configure MAC Address Filtering

To set up MAC filtering on a router, the administrator must configure a list of devices that should be allowed to join. The physical address of each approved device must be found and then those addresses need to be entered into the router, and the MAC address filtering option turned on.

Most routers let you see the MAC address of connected devices from the admin console. If not, you can use your operating system to do it. Once you have the list of MAC address, go into your router's settings and put them in their proper places.

For instance, you can enable the MAC filter on a Linksys Wireless-N router through the Wireless > Wireless MAC Filter page. The same can be done on NETGEAR routers through ADVANCED > Security > Access Control, and some D-Link routers in ADVANCED > NETWORK FILTER.

Does MAC Address Filtering Improve Network Security?

In theory, having a router perform this connection check before accepting devices increases the chances of preventing malicious network activity. The MAC addresses of wireless clients can't truly be changed because they're encoded in the hardware.

However, critics have pointed out that MAC addresses can be faked, and determined attackers know how to exploit this fact. An attacker still needs to know one of the valid addresses for that network in order to break in, but this too is not difficult for anyone experienced in using network sniffer tools.

However, similar to how locking your house doors will deter most burglars but not stop determined ones, so too will setting up MAC filtering prevent average hackers from gaining network access. Most computer users don't know how to spoof their MAC address let alone find a router's list of approved addresses.

Don't confuse MAC filters with content or domain filters, which are ways for network admins to stop certain traffic (like an adult or social networking sites) from flowing through the network.