How to bypass restrictive mac address filtering on home network (not malicious)

Question

Background

A short sketch of my situation before I formulate my question: I am on a large home network, which is privately administered by a couple of admins. The network consists of a lan and a wireless lan, and controls access centrally by filtering mac addresses (and denying/allowing based on whether they allow that specific mac address).

I have two computers that I have registered and use (and pay for monthly) on this network, one wireless connection (laptop) and one cable connection (desktop). So I have two mac addresses that are allowed on the network, and are allowed access to the internet through the network.

The problem

The problem is that the wireless access is very unreliable, and is unusable for me. The admins of the network don't have a lot of time and are a little lax, so they won't help me with my wireless access problems, even after repeated complaints. They basically told me to fix it myself. Which leaves me with a connection that I'm paying for, but unable to use. I don't have control over the main routers, so I am kind of cut off from the internet on my laptop because of this, which is very frustrating.

My (partial) solution

Fortunately, the mac address filtering is rather simple. The wireless mac address that I've registered does not allow me to access the cable lan part of the network. So I have only one valid mac address (from the desktop) that is allowed on the cable lan part of the network.

What I have done is patch a small router (E-Tech RTVP03) to the main network, change it's mac address to the allowed (desktop) mac address, and patch my computer and laptop to the router. This sort of works (internet access works), but there are some problems that I wasn't able to fix:

The mac address of my router and desktop computer network card is now the same, which causes a lot of conflicts. I have tried to change the mac address of my network card, but that didn't help (or maybe the changing of the mac address didn't work, I'm not sure).
Because the router is between my computers and the rest of the network, I can no longer discover any other computers on the network. Which is a shame, because we share a lot of files on it. Could I change the settings so this becomes a possibility again?

My question

So basically, what I want the router to do, is be as transparent as possible, and only change the mac address information that is passed to the main network (to bypass the mac filtering), and to allow me to share one connection over two computers.

I still want to be able to share files with the main network, and all I want to do is to be able to connect both my computers to the cable network, and have full internet (and network) access with them (because after all, I'm paying for it).

Can anyone come up with a good solution for this?

How is this not malicious? You are trying to bypass a policy. — Lucas Kauffman, May 09 '12 at 08:55
@LucasKauffman Because I am paying for access, but not getting it. They won't help me with it, so I am only trying to get access to a network that I am paying for anyway.. — , May 09 '12 at 08:58
@LucasKauffman, I would love to just be able to connect wirelessly with my laptop (if that were possible), believe me. It would save me a lot of time and trouble, and I wouldn't have to come up with this "solution", to a problem that shouldn't even exist in the first place. — , May 09 '12 at 09:00
It's still bypassing the policy they have set, "paying" for something doesn't grant you the right to do just anything on their network. I will provide an answer and leave it up to the admins to decide if this is off or on topic. — Lucas Kauffman, May 09 '12 at 09:01
@LucasKauffman, so yes, I am trying to bypass a policy, but not with any evil intentions (I am after all paying for access and not getting it), and not because I am going to do something evil (all I want is normal internet access). — , May 09 '12 at 09:02
You're intentions do not matter. Deliberately bypassing a policy is still malicious. No matter what your goal is. — Lucas Kauffman, May 09 '12 at 09:03
@LucasKauffman, Well maybe our definitions of malicious are different. In my opinion if I am doing something morally justifiable, on a network that isn't operated by morally justifiable standards, then bypassing a policy isn't malicious. It might be to the admin, but in my eyes, he is the malicious party. By your definition using TOR in Iran would be malicious, I disagree with that. I've been trying to fix this for the last year now, trying to adhere to the network policy as good as I can. After a full year of problems (and paying for nothing), I think this is justifiable. — , May 09 '12 at 09:09
Moral standards do not matter. Legal standards do, avoiding or trying to avoid a networking policy can be considered illegal. Is using TOR malicious in Iran? Yes it is, because it's considered ILLEGAL there. — Lucas Kauffman, May 09 '12 at 09:16
@LucasKauffman, that's true. It is illegal according to the rules of the network. However, I am not only governed by those rules, but also by my own moral standards. And according to those standards (which say that when I pay for a service, I have a right to receive that service, and some help in troubleshooting when it goes wrong), it is ok for me to do this, because I have tried to solve the problem according to the rules of the network (and they wouldn't cooperate, but they will take my money). Try to see this from both perspectives (and moral standards *do* matter to me). — , May 09 '12 at 09:23
If I were in your shoes I would get another ISP and simply not pay them. — Lucas Kauffman, May 09 '12 at 09:25
I would in a heartbeat, but that's the problem: I can't get another ISP because the admins of the building control the main internet access point. — , May 09 '12 at 09:27
Wouldn't it be easier to simply register a new mac address, which is a router that supplies you with your own private access point, and deregister your desktop and connect your desktop to said acess point. — Ramhound, May 09 '12 at 12:06
@LucasKauffman Please stop your crusade. This is not [sf]. Bypassing a policy is not inherently malicious or forbidden here. On the other hand, I don't think the question is on-topic here: this is a functional issue, not a security issue. Samuel, what operating system are you running on your computers? What operating system does this router run? If it's Linux, this question can be migrated to [unix.se]. Otherwise, I think [su] would accept it. — Gilles 'SO- stop being evil', May 09 '12 at 17:22
@Ramhound, bit of a late reply on my part, but that is basically what I did. That way I didn't have to get a new network card for my desktop and I could apply Lucas Kauffmans solution. — , Sep 02 '13 at 08:15

Lucas Kauffman · Accepted Answer · 2012-05-09T09:20:57.373

All though I think this is not the correct way to solve your problem:

What I would do is get another networking card for your desktop and a router that is also wifi capable.

Get a box that's DD-wrt/open-wrt capable and change the MAC address to the one of your desktop or just get them to insert the MAC address of your router. After that you can just use your own router as WIFI AP and physical internet AP. No you won't be able to discover other devices.

I'm not sure how the auto discovery function works, but I think it will scan devices in the same subnet. Since you are behind another router this will not be case. What you can try is to directly connect to the ip of the fileserver.

score 2 · Answer 2 · answered May 09 '12 at 10:59

2

This is might be a bit of a hacky solution, but couldn't you use your desktop machine as a gateway, sharing access over WiFi using NAT? You could accomplish this using iptables in linux.

This would mean you get access to the "shared stuff" on your "ISPs" local network on your desktop (but not behind the NAT), while still being able to connect to the network using wifi (due to the NAT you've set up on the desktop machine).

It's hacky, but I think it would work. You would have to keep your desktop running when accessing the wifi however..

answered May 09 '12 at 10:59

Jonatan

131
3

So the NAT would require the laptop to connect to the desktop via wifi? Because I don't have wifi on my desktop, and that would mean I would have to buy a wifi router right? Could this maybe also be done with the existing cable router I already have? – May 09 '12 at 11:05
By the way, the desktop having to be on is not a problem, as I will only need the extra connection when the desktop is already occupied. – May 09 '12 at 11:09
This would in essence "turn your desktop in to a router". So the reason you can browse the shared stuff on the network is because that browsing is done "on the router". The router will drop the traffic relating to the file sharing normally, and it will not be allowed to pass through to the network behind it. EDIT: You would need to buy a new network card, with wireless capabilities. – Jonatan May 09 '12 at 11:10

score 1 · Answer 3 · answered Oct 03 '14 at 13:43

You are unable to see the rest of the network now because you have connected a router between and you are now basically on a 'separate' network --- check the IP addresses --- if they are not all in the same CLASS then you are on different networks and cannot see everything, although, technically everything is connected together. Secondly, a mac address is an unique equipment identifier and cannot be changed.. only an IP address can be changed. I don't believe that without the admins help you will actually be able to do what you want successfully. It could be that there is too much interference in the room from where you are... or if perhaps you are too far from the router---what kind of walls are between...etc.. I would weigh the pros and cons and then either deal with it the way it is; tell them you don't want the wireless anymore and use only the lan connection (better to not pay for something you can't get) or do away with their services and get your own. Good luck!

MACs can be changed in software. Your explanation is aimed at a basic audience, but you assume the reader knows what an IP Class is. — schroeder, Oct 03 '14 at 14:15

score 0 · Answer 4 · answered Jan 02 '16 at 04:04

to avoid MAC conflicts, you better change your Desktop MAC to something else, just change the last 2 hex digits, try to swap them =) Simple, but works
use Raspberry Pi 2 or Cubieboard 3 or 4 based router. Yes, it's not so cheap, but it will allow you to run a fully featured Linux OS, not a DD-wrt or OpenWRT, which are good BUT LIMITED ones, because they've been tuned for small routing boxes.
For Wi-Fi hotspot use a USB hub with external power AND detachable antenna. Take a look at TENDA or TP-Link devices. I'm using (TP-LINK TL-WN722N)[http://www.tp-linkru.com/products/details/cat-11_TL-WN722N.html] myself for AP with hostapd, works out of the box with Raspberry Pi 2.

score 0 · Answer 5 · answered Dec 17 '12 at 21:53

This is quite a while after, but hopefully other people might read this and be helped.But anyways, after my (mis)adventures with WiFi in a college dorm room, I found often times routers have an "Use Only as Access Point" function built-in to them. You must have a separate router, unplugged from the LAN/ISP to start. On your computer, find the subnet mask. (Usually 255.255.x.x) Second, you plug your computer into the router and change the settings for your WiFi (name, password, etc), once they are set it is a pain to re-set them. Third, find the option to clone your computer's MAC address. (You might have to search the help for the router to do this.) (Oh and the reason this works is because it's the outbound/facing MAC address for the router. Your computer sees something else.) Set your router's subnet mask to the mask your found earlier. Then, find the "Use as Access Point" feature and enable it. Plug in your router to the wired internet connection. Connect via WiFi to the router. Your computer should now be connected as if the router weren't even there. Sometimes the other computers still aren't visible. Dunno why :/ But good luck!

--I make no guarantees or warranties about the information above. Change settings at your own risk. Your best bet is to find a nerd friend where applicable.

score 0 · Answer 6 · edited Apr 13 '17 at 12:37

You could possibly achieve what you want with what you have..

If you change your computers LAN MAC:

Windows: https://superuser.com/a/350589
Linux: https://unix.stackexchange.com/a/139870/83643

Have your router setup, as you have it, using your PCs MAC address on the WAN Port. And additionally configure port forwarding on the router (if the router is capable of port forwarding), for network shares//network discovery..

score -4 · Answer 7 · edited Nov 02 '14 at 19:18

-4

Oh you all mess up with this simple solution. Let me teach you:

First of all, you have to remember that the Internet connection can only take place through the IP address. Besides, even though both computers have the same MAC address it doesn't matter, so all you have to do is to manually change the IP address of one of the computer and it will really solve the problem.

edited Nov 02 '14 at 19:18

schroeder

123,438
55
284
319

answered Nov 02 '14 at 00:59

Asante Syllas

1

4

I'm afraid that you have either not understood the problem (MAC filtering access to LAN), or do not understand Layer 2/3 interactivity. – schroeder Nov 02 '14 at 19:16

How to bypass restrictive mac address filtering on home network (not malicious)

7 Answers7