MAC spoofing for safety

If I have a fixed external IP, I think it is possible to detect the router manufacturer from the WAN by MAC address and infer possible (known security vulnerabilities) methods of attack. If this is the case, is it advisable to change the MAC address on the router to increase security ?

Edit: prevent the use of a known security vulnerability of a particular manufacturer’s router.

to find out the router manufacturer from WAN according to the MAC address

only from same IP subnet.

is it advisable and necessary to change the MAC address on the router

I’d consider that a Security through obscurity measure.


I don’t understand your answer very well. If I search the neighboring wifi networks in the vicinity I can also see the router manufacturer

MAC address must be detectable even from the outside in the net internet provider - some providers bind access or IP address allocation to MAC address of router.

Your answer to my question is: Yes, No … or it’s one thing - it doesn’t matter ?

MAC address is only visible on the directly connected networks. after first router, only IP is visible.

are you trying to change router’s MAC address so your ISP can bind you the IP?

1 Like

It is advisable to change the router MAC address to improve the security of the router on the local net internet provider and thus prevent theoretically possible misuse of a known security vulnerability ?

Your answer to my question is: Yes, No … or it’s one thing - it doesn’t matter ?

because you share the L2 network where packets are addressed by physical address.

They’ll be visible exactly in the same L2 segment, often (almost always) it means in your WAN subnet. So if someone (e.g. your neighbor) is in the same network, he can see your MAC. Anyway globally and outside of your ISP network, the MAC is not visible.

The concept of STO is well known and described and the final decision is up to you and your needs.

If you’re asking what I do with my devices being present at Internet, then the answer is no, I do not change MAC addresses as I do not see any real security benefits.

1 Like

I dont know concept abbreviation “STO”.

I know that turris router can “known weakness” only apply marginally … but we can’t rule it out.

I use Turris as router and firewall, so I don’t expose any Turris service to the outside world, effectively limiting the attack surface. Publicly accessible services are on other devices, being properly updated, configured and firewalled. EDIT: = so no way for attacker to correlate network card vendor and possibly known service vulnerabilities.

1 Like

I think you need to distinct LCI *) from IPv6.

In IPv6 the problem is less interesting. It is addressed.
In IPv6 you are well advised to set ip6-privacy to value 2 NOT to reveal information that can lead back to calculating your MAC.

ipv6.ip6-privacy: 2 (enabled, prefer temporary IP)

quick check what you really do reveal:

details about settings:

there is a set of tools available. for CLI use I prefer nmcli.
Examples to identify and set the status:

nmcli con show [assume our connection is named ethernetvenus00 here]
sudo nmcli connection modify “$con” ipv6.ip6-privacy 2
sudo nmcli connection modify “$con” ipv6.addr-gen-mode eui64
sudo nmcli connection modify “$con” ethernet.cloned-mac-address permanent
alternativ WLAN:
sudo nmcli connection modify “$con” wifi.cloned-mac-address permanent

more pretty to watch here:

*) Last Century Internet = IPv4

This solution is not suitable for me because my internet connection does not yet support ipv6. A clear question - but there is no clear answer.

I think it doesn’t matter, most of attacks from internet are broad and check all vulnerabilities no matter what your IP or MAC address is.

Hey JardaB

It wouldn’t hurt to do this. If there is a zeroday available against your device, this could potentially thwart a bot running an OUI lookup from grandmas Windows Vista desktop she uses for her coupons in the next neighborhood over.

The only folks who will be able to see your mac address on your public facing router are your ISP and possibly some of the customers in your same geographic area in the event that they are on the same public IP subnet and are able to dump the ARP table on the WAN side of their router. Generalized botnets are going to care a lot more about open ports and passwords being left default than MAC addresses (which they most likely won’t even be able to see).

To summarize, this couldn’t hurt

Hope this helps.

1 Like