Hiding MAC Address / Devices From Network

Status
Not open for further replies.
F

Fahim

2[H]4U
Joined
May 22, 2001
Messages
3,695
Let's say I have a friend at a university and he has multiple devices he wants to connect to a network port via Hub / Router.

But let's say this university limits you to 1 MAC Address - if there are more than 1 MAC Address - let's say all the devices connected to said router or hub get on the black listed and cannot get back on to the network without a bit of begging.

Is it possible to make make them think that 5 or 6 devices could only be 1 device?

Let's say this friend has this router: http://www.asus.com/Networking/RTN16/
 
What's the exact wording of the requirements from the university? Most don't care if you have a router, but some get their panties in a bunch and really only want 1 device on the connection. Networking 101: MAC addresses don't last past the subnet boundary. Meaning a router will replace a mac address prior to forwarding the packet on.

If the university is one of the panty brigade, then you ( and, possibly your friend ) won't have much of a choice but to get an outside connection.*

* - Not entirely true, but I'm the network administrator that has to clean up after messes people like you make by "being clever", so you aren't going to get any help from me on how to circumvent someone else's network requirements.
 
This is possible however your friend would have to NAT his connection. NAT and all the devices behind it are seen as 1 MAC due to the translating. The router you listed is sufficient to accomplish this.
 
XOR != OR said:
What's the exact wording of the requirements from the university? Most don't care if you have a router, but some get their panties in a bunch and really only want 1 device on the connection. Networking 101: MAC addresses don't last past the subnet boundary. Meaning a router will replace a mac address prior to forwarding the packet on.

If the university is one of the panty brigade, then you ( and, possibly your friend ) won't have much of a choice but to get an outside connection.*

* - Not entirely true, but I'm the network administrator that has to clean up after messes people like you make by "being clever", so you aren't going to get any help from me on how to circumvent someone else's network requirements.
Click to expand...


Haha fair enough. It was smooth sailing for him for more than a year. University doesn't allow routers or switches of any kind of multiple devices through one router. I have no idea why. They don't have a limit on IP Address with their provider or limit on MAC addresses - They just don't want routers serving out their own IP addresses using the universities network. Same goes for a switch, they don't want to serve multiple MAC through one port.

They are monitoring the MAC addresses pretty closely now and if they see a ton of MAC address they shut down that port.

I think you're right, my friend would have to go with a private provider.


shade91 said:
This is possible however your friend would have to NAT his connection. NAT and all the devices behind it are seen as 1 MAC due to the translating. The router you listed is sufficient to accomplish this.
Click to expand...

Does the NAT Theory old any water? If one setup a NAT - would the provider ever see more mac addresses than the router?

They can of course tell when a router is connected - is it possible to change the identity of the router - instead of it coming up as Asus Router - could it be recognized as laptop1?
 
Fahim said:
Haha fair enough. It was smooth sailing for him for more than a year. University doesn't allow routers or switches of any kind of multiple devices through one router. I have no idea why. They don't have a limit on IP Address with their provider or limit on MAC addresses - They just don't want routers serving out their own IP addresses using the universities network. Same goes for a switch, they don't want to serve multiple MAC through one port.

They are monitoring the MAC addresses pretty closely now and if they see a ton of MAC address they shut down that port.

I think you're right, my friend would have to go with a private provider.




Does the NAT Theory old any water? If one setup a NAT - would the provider ever see more mac addresses than the router?

They can of course tell when a router is connected - is it possible to change the identity of the router - instead of it coming up as Asus Router - could it be recognized as laptop1?
Click to expand...

A router running NAT or a PC would look the same from the viewpoint of the university network.
 
Not necessarily. NAT routers will typically decrease the IP TTL value so it's still possible to reasonably detect NAT.
 
Fahim said:
University doesn't allow routers or switches of any kind of multiple devices through one router.
Click to expand...

And according to the rules, you are done. But it is interesting that it sounds like they only provide 1 port and allow 1 device on that port...
 
Arch said:
Not necessarily. NAT routers will typically decrease the IP TTL value so it's still possible to reasonably detect NAT.
Click to expand...

True, if they are really that anal and sniffing traffic at layer 3.

Not sure why they're so anal about other routers. Perhaps they are concerned about rogue DHCP server but DHCP Snooping would easily handle that as well as port security for MAC address violations.
 
XOR != OR said:
If the university is one of the panty brigade, then you ( and, possibly your friend ) won't have much of a choice but to get an outside connection.*

* - Not entirely true, but I'm the network administrator that has to clean up after messes people like you make by "being clever", so you aren't going to get any help from me on how to circumvent someone else's network requirements.
Click to expand...
His universities policy is retarded and they deserve any network downtime that happens as a result of users trying to network multiple devices. If your policies are too restrictive then users will simply go around IT. No amount of lock down will prevent users from getting the content they want.

IT needs to learn to work with users to steer them into the direction IT wants them to go, rather than trying to force them with policy.

EDIT: nevermind, was going to help but don't feel like another infraction for violating rules.
 
Last edited:
I'm not seeing how adding a second router there makes any difference vs just using a single one. It just adds another hop and (most likely) another NAT point.
 
I'm not seeing how adding a second router there makes any difference vs just using a single one. It just adds another hop and (most likely) another NAT point.
 
cyr0n_k0r said:
His universities policy is retarded and they deserve any network downtime that happens as a result of users trying to network multiple devices. If your policies are too restrictive then users will simply go around IT. No amount of lock down will prevent users from getting the content they want.

IT needs to learn to work with users to steer them into the direction IT wants them to go, rather than trying to force them with policy.
Click to expand...
While I agree, that's a policy decision that happens at the management level, not through "jury nullification", as it were.

I've gone the rounds with a number of puffed up managers advocating for user rights, and will likely do so again. Doesn't change the fact that rules are rules, and I get annoyed when I bend over backwards for users ( as best I can given the environment ), and the shits go and make MORE work for me.

Speaking of which: OP, there is a great way to "hack the system", and telling you won't violate the rules here at all and is usually 100% effective. Find out who IT is, buy them a beer. Or a 6 pack. They likely think the rules are about as stupid as you do ( well, and cry0n_k0r and myself, honestly ), and a little kindness goes a long way.
 
So really my only option here is to find a private provider... and let these guys keep doing their jobs.
 
Use an OpenBSD router, fake the external MAC address to be from some laptop/PC vendor and have it increase the TTL to some minimum value.

In a networking context, trying to limit access to a single device is completely retarded since there _is_ only a single device: your router.

It's one of those rules where intent and actual effect are different. If your router behaves and doesn't cause them any trouble, there's no point in enforcing that rule.
 
cyr0n_k0r said:
His universities policy is retarded and they deserve any network downtime that happens as a result of users trying to network multiple devices. If your policies are too restrictive then users will simply go around IT. No amount of lock down will prevent users from getting the content they want.

IT needs to learn to work with users to steer them into the direction IT wants them to go, rather than trying to force them with policy.

EDIT: nevermind, was going to help but don't feel like another infraction for violating rules.
Click to expand...
I think you need to pump the brakes a little bit. Without all of the details as to 'why' the policy is even in place, your comment is more ignorance than a noble attempt at protecting student rights.

There are plenty of reasons behind why a policy such as this might exist. For that reason I would withhold judgement before making such a comment as yours.
 
MekoSuka said:
I think you need to pump the brakes a little bit. Without all of the details as to 'why' the policy is even in place, your comment is more ignorance than a noble attempt at protecting student rights.

There are plenty of reasons behind why a policy such as this might exist. For that reason I would withhold judgement before making such a comment as yours.
Click to expand...
the policy is most likely in place because
1) the university does not have enough switchport capacity for more than 1 device in each dorm. This is most likely due to old switches or old wiring and the refusal of administration to upgrade.
2) the university does not have enough (or any) wireless access points in the dorms to support coverage of several hundred devices.

I'm sure there are plenty of reasons "why", and I could care less why. Users want their content, and they will circumvent any policies that get in their way whether you like it or not. This post is prime example. Especially the younger generation that doesn't put up with limitations on content and devices. (IE, college kids)
Giving users access to content in a safe and structured manner is always better than locking them out of it. If you'd like more examples look at the rise of Netflix, iTunes in the wake of the RIAA and MPAA's inability to provide content in a reasonable way to their userbase.

Disclosure: I have worked for a decade in the educational field for both K-12 and public universities doing network and systems engineering.
 
Before trying to circumvent rules, it is prudent to consider the consequences of getting caught. I assume in this case that would be losing network access completely, or worse, getting kicked out of the dorms. Is this something you(r friend) can live with?
 
TCM2 said:
Use an OpenBSD router, fake the external MAC address to be from some laptop/PC vendor and have it increase the TTL to some minimum value.

In a networking context, trying to limit access to a single device is completely retarded since there _is_ only a single device: your router.

It's one of those rules where intent and actual effect are different. If your router behaves and doesn't cause them any trouble, there's no point in enforcing that rule.
Click to expand...

Dual port networking card and possibly a wireless card with ClearOS should do what you want.

Also, back in the day when the cable companies tried to make you pay to be able to hook up more than one computer, we just used a router and cloned the MAC address of the PC that was allowed.

The cable companies dropped that stupid policy pretty quick.
 
cyr0n_k0r said:
the policy is most likely in place because
1) the university does not have enough switchport capacity for more than 1 device in each dorm. This is most likely due to old switches or old wiring and the refusal of administration to upgrade.
2) the university does not have enough (or any) wireless access points in the dorms to support coverage of several hundred devices.

I'm sure there are plenty of reasons "why", and I could care less why. Users want their content, and they will circumvent any policies that get in their way whether you like it or not. This post is prime example. Especially the younger generation that doesn't put up with limitations on content and devices. (IE, college kids)
Giving users access to content in a safe and structured manner is always better than locking them out of it. If you'd like more examples look at the rise of Netflix, iTunes in the wake of the RIAA and MPAA's inability to provide content in a reasonable way to their userbase.

Disclosure: I have worked for a decade in the educational field for both K-12 and public universities doing network and systems engineering.
Click to expand...

If its important to someone to have multi-device access to a network port, its a question that should be asked before the student enrolls at the school. Always ask questions beforehand. If you don't like policy, you can always go some place else that doesn't have the same or similar policy.

That being said, I would still think you have options vs. violating policy and risking your education. You can certainly speak to your administrator or organize a movement to change the policy. Something students seem to be great a doing, even when the effort is futile.

Where I take exception is when someone just wishes downtime on an IT group who clearly are doing things under the direction of others. Such a statement is quite frankly in poor form. For someone who claims such lengthy experience, I would have expected more.

:shrug:
 
MekoSuka said:
If its important to someone to have multi-device access to a network port, its a question that should be asked before the student enrolls at the school. Always ask questions beforehand. If you don't like policy, you can always go some place else that doesn't have the same or similar policy.

That being said, I would still think you have options vs. violating policy and risking your education. You can certainly speak to your administrator or organize a movement to change the policy. Something students seem to be great a doing, even when the effort is futile.

Where I take exception is when someone just wishes downtime on an IT group who clearly are doing things under the direction of others. Such a statement is quite frankly in poor form. For someone who claims such lengthy experience, I would have expected more.

:shrug:
Click to expand...
:rolleyes: < that's all I have to say.
 
Fahim said:
They can of course tell when a router is connected - is it possible to change the identity of the router - instead of it coming up as Asus Router - could it be recognized as laptop1?
Click to expand...
Most routers let you change the mac address on the WAN side so you could change it to have the same mac address as your laptop.

In theory they could spot it by packet TTLs but I doubt many of them are bothering to check that.

Afaict the real reasons IT in places like uni halls don't like homes routers are

1: idiots plug them in "the wrong way round" and break the network.
2: many of them include wireless opening up new avenues for network abuse.
 
This is still part of the FAQ here.

Q. How do I bypass/circumvent my school, work, or service provider's firewall/proxy/security?

You don't! Those types of devices are in place for a reason and if you choose to attempt to go around them you merely open yourself up to being expelled/fired.

Keep in mind that (a.) many people who frequent this forum are network administrators who's job it is to monitor and maintain the networks you guys use, and (b.) it opens the forum owners up to legal action should something illegal happen with help from this forum.

Should you have a truly legitimate reason for raw access to the web you must ask your network administrators for permission. Period.
Click to expand...
 
Status
Not open for further replies.
Back
Top