• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

iOS 14 and blocking those pesky "private addresses"

Firewalling
5
9
706
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    timtrace
    last edited by Nov 3, 2020, 6:38 PM

    The iOS 14 devices on my home network are annoying me with their private addresses (MACs) dancing all around.

    I'm thinking about using a floating rule to allow outbound traffic only from a list of known MACs. I'd then require the iOS devices to turn off "private address" for that particular wireless network.

    My ARP table has 58 local addresses. My hardware is at 3% CPU and 31% memory. In my mind I've got power to burn.

    What do you guys think about all this?

    Explanation of this iOS 14 feature with maybe a little extra info you may not have seen before ...

    To reduce privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.

    The introduction to the feature is mentioned in the "Build trust through better privacy" video (https://developer.apple.com/videos/play/wwdc2020/10676/).

    Key points :
    Users are always in control - users can control enablement of the feature at any time for each network.

    Addresses are generated randomly for every network

    Addresses are not linked to your identity

    Addresses are updated for all networks daily by the device, NO server is involved in address generation. Since addresses are generated randomly, it is very unlikely that two devices on the same network will generate the same address.

    A new MAC will be used whenever a new address has been generated and the device re-joins the network

    Users can see which MACs are generated for each network in the Wi-Fi scan list, even before joining the network

    Networks that use MAC-based access inherently track devices. Privacy on tracking networks can be controlled using the temporary address so that participation with the tracking network is also temporary.

    B J 2 Replies Last reply Nov 3, 2020, 7:22 PM Reply Quote 0
    • N
      NogBadTheBad
      last edited by Nov 3, 2020, 7:01 PM

      Just switch it off on the iDevices, you're over thinking the problem.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • T
        timtrace
        last edited by Nov 3, 2020, 7:05 PM

        I hear you, but, when they turn "private address" back on I'll have to start chasing my tail again.

        G 1 Reply Last reply Nov 4, 2020, 8:14 AM Reply Quote 0
        • B
          bmeeks @timtrace
          last edited by bmeeks Nov 3, 2020, 7:25 PM Nov 3, 2020, 7:22 PM

          @timtrace said in iOS 14 and blocking those pesky "private addresses":

          'm thinking about using a floating rule to allow outbound traffic only from a list of known MACs. I'd then require the iOS devices to turn off "private address" for that particular wireless network.

          How are you going to filter by MAC address? pfSense (and most firewalls) do not support that kind of filtering as MAC is Layer 2 and firewalls generally work at Layers 3 and up. I think you can do some MAC filtering using Captive Portal, but most folks don' want to use Captive Portal on their home LANs. Guess you could, though.

          T J 2 Replies Last reply Nov 3, 2020, 7:25 PM Reply Quote 0
          • T
            timtrace @bmeeks
            last edited by timtrace Nov 3, 2020, 7:28 PM Nov 3, 2020, 7:25 PM

            @bmeeks said in iOS 14 and blocking those pesky "private addresses":

            How are you going to filter by MAC address? pfSense (and most firewalls) do not support that kind of filtering as MAC is Layer 2 and firewalls work at Layers 3 and up.

            I can use a DHCP reservation to enforce an IP which can be added to an alias.

            I actually have the captive portal running, and our work and school devices connect there, as well as any guests. I had to change from using "allowed MACs" to "allowed hostnames."

            B 1 Reply Last reply Nov 3, 2020, 7:28 PM Reply Quote 0
            • B
              bmeeks @timtrace
              last edited by bmeeks Nov 3, 2020, 7:31 PM Nov 3, 2020, 7:28 PM

              @timtrace said in iOS 14 and blocking those pesky "private addresses":

              @bmeeks said in iOS 14 and blocking those pesky "private addresses":

              How are you going to filter by MAC address? pfSense (and most firewalls) do not support that kind of filtering as MAC is Layer 2 and firewalls work at Layers 3 and up.

              I can use a DHCP reservation to enforce an IP which can be added to an alias.

              Yeah, but you don't need a floating rule for that. Just an alias used as "source" in an inbound rule on say the LAN.

              Might wind up being a pain in the butt if the iOS devices insist on using the private addresses when enabled and don't get an IP using the defined MAC.

              If it's a home network, why is it such a problem? I only see it as an issue if you have really small DHCP address pools and long lease times.

              1 Reply Last reply Reply Quote 0
              • G
                Gertjan @timtrace
                last edited by Gertjan Nov 4, 2020, 9:20 AM Nov 4, 2020, 8:14 AM

                @timtrace said in iOS 14 and blocking those pesky "private addresses":

                when they turn "private address" back on I'll have to start chasing my tail again.

                Your tail ?
                They were cutting in their own tail. They break things with their actions, what's against saying : they should undo their own actions ?

                Just an example : you bought a car that runs on petrol.
                You fill it up with gasoline for what ever reason.
                I guarantee you that the garage where you bought your car won't get upset. They might even smile. Because they are applying the golden rule : "You fckd up => you pay".

                As you said : enforce DHCP leases with upfront known MAC addresses :

                Activate :
                login-to-view

                initially, this option will needs you to enter each known MAC of each device ( !! ). It will deal with the ever changing MAC addresses.
                Then, there will be no more "they turn it on" because they wouldn't be able to connect any more.

                The very basics of a captive portal is :
                "Enable Internet access to a group of unknown devices/people."
                These people would need to have some authentication credentials, like a user ID and a password. That's it.
                IP .... MAC .... why should / would you care ? You gave them access credentials, people with unknown devices. They can even share devices, use multiple devices or even share the connection among them.

                Another example :
                Banks hands out credit cards. An PIN codes.
                Believe me : a bank doesn't care who - the person - is using the credit card and PIN code. When transactions show up using the card and the code, the bank takes the money from your account. Again : the person who initiated this transaction is unknown. Typically : it should be you. If it wasn't you, it's still you that initiated the fact that some one else initiated the transaction. So it's you.
                You got my point : the real card 'owner' will cooperate with the rules (which he agreed upon, otherwise he wouldn't even have that card).
                So all ends happily.

                Important is : keep it simple for both sides ;)

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • J
                  JKnott @timtrace
                  last edited by Nov 4, 2020, 11:40 AM

                  @timtrace said in iOS 14 and blocking those pesky "private addresses":

                  I'm thinking about using a floating rule to allow outbound traffic only from a list of known MACs.

                  Pfsense doesn't filter on MAC addresses. You have to use IP addresses.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • J
                    JKnott @bmeeks
                    last edited by Nov 4, 2020, 11:41 AM

                    @bmeeks said in iOS 14 and blocking those pesky "private addresses":

                    How are you going to filter by MAC address? pfSense (and most firewalls) do not support that kind of filtering

                    Linux based firewalls running IPTables do.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.