Safe Access With Safe Access, can you set it up to block new devices from being added, until you decide to allow it?
- Thread starter garya505
- Start date
- Latest activity Latest activity:
- Replies 13
- Views 3,000
Currently reading
Safe Access With Safe Access, can you set it up to block new devices from being added, until you decide to allow it?
No. SA will work with devices that were already detected and behave depending on the actual profile.
You could use Network Center to again pick up any device that the router can "see" and use a single "banned" button to block all traffic until you are ready to configure it and allow the traffic.
Example?
Do you mean connect their device directly to a VPN provider while using the router to get to the internet? In that case, no. SA and Network center work based on MAC address, so the traffic layer will have no weight here. If the SA profile is configured to not allow Internet access at a specific time or towards a destination, SA will again monitor the MAC address
In Safe Access devices use the default profile for their VLAN unless their MAC address is assigned to another profile. So you could make the default profiles to be very restrictive. You would then assign devices to a different profile once you are happy with it.
You could block outbound VPN from the LANs. You should also consider enabling the setting to block access to DNS-over-HTTPS services. Then also use the firewall to block DNS requests from most LAN devices: they can use the router as their DNS server IP.
You could block outbound VPN from the LANs. You should also consider enabling the setting to block access to DNS-over-HTTPS services. Then also use the firewall to block DNS requests from most LAN devices: they can use the router as their DNS server IP.
Yes they have phones, but I can deal with that separately.
-- post merged: --
So when a new MAC is seen it automatically gets assigned to the default profile? If so, making the default profile really super restrictive would work.
Hi,
Wanted to draw your attention to the MAC randomization that is used by most devices now. If you’re going to work on MAC addresses, your best bet is to disable randomization, allow the stated MAC address and block everything else, or what @fredbert said as I don’t know how it’s done on Synology routers.
Note that MAC randomization on iOS devices (and macOS I think) is per Wi-Fi network. So if you disable it for your home network it doesn’t mean that it disabled for every other Wi-Fi network, which is good.
I still don’t know how to turn it off on macOS (if it’s at all possible).
Wanted to draw your attention to the MAC randomization that is used by most devices now. If you’re going to work on MAC addresses, your best bet is to disable randomization, allow the stated MAC address and block everything else, or what @fredbert said as I don’t know how it’s done on Synology routers.
Note that MAC randomization on iOS devices (and macOS I think) is per Wi-Fi network. So if you disable it for your home network it doesn’t mean that it disabled for every other Wi-Fi network, which is good.
I still don’t know how to turn it off on macOS (if it’s at all possible).
A good point on the MAC address hiding features. It's a pain when running an internal DNS server too.
In my experience of this on iOS, and recently Mac, the feature can be enabled as default so new connections have it but then you can disable MAC hiding on a per connection basis. So my iPhone has it disabled on the home WiFi SSID, as does my Mac and on the wired Ethernet. When this was first added to iOS I'm sure that disabling and reenabling MAC hiding on my home WiFi kept the same hidden MAC address. So this can be added to the Safe Access profiles.
And when Internet isn't working it's amazing how soon you get told!
In my experience of this on iOS, and recently Mac, the feature can be enabled as default so new connections have it but then you can disable MAC hiding on a per connection basis. So my iPhone has it disabled on the home WiFi SSID, as does my Mac and on the wired Ethernet. When this was first added to iOS I'm sure that disabling and reenabling MAC hiding on my home WiFi kept the same hidden MAC address. So this can be added to the Safe Access profiles.
And when Internet isn't working it's amazing how soon you get told!
Here... (macO Ventura)
I would be more likely to switch over to a Synology router if they made this easier. Should be "one click" and done.
On my Gryphon at home, I just set it to disallow a new MAC address until I approve it. It gets blocked and I can see the attempt to connect and approve it if I want. This is the "whitelist" concept.
At work, for security reasons our Wifi won't allow a device on until it's whitelisted. I'm not sure what WiFi router they are running, but I'll find out.
On my Gryphon at home, I just set it to disallow a new MAC address until I approve it. It gets blocked and I can see the attempt to connect and approve it if I want. This is the "whitelist" concept.
At work, for security reasons our Wifi won't allow a device on until it's whitelisted. I'm not sure what WiFi router they are running, but I'll find out.
I should have explained. I'm thinking of replacing my Gryphon with a Synology router. One of the options is to block new devices until/unless I approve it. When I see a device listed in the "Blocked Devices" list, I can simplky assign it to a user to allow it and manage it. If one of my kid's computers tries to use a random MAC address, it gets blocked.
MAC Filter | SRM - Synology Knowledge Center
Synology Knowledge Center provides you with answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
kb.synology.com
MAC filters can be setup in WiFi Control. The Web access control is in Safe Access.
Check Firewalla. It’s called “Quarantine” there. If you enable it (a toggle switch), new devices are entered into a quarantine group and you get notified.
I have a running ticket with Synology support and I have been troubleshooting this issue where a device, ie. phone, iPad, iPod, can join the Wi-Fi and you get an notification "I know this device or Block" but if you choose to Block it only blocks that MAC address. Someone could easily rejoin using PA enabled and get a new MAC address and get online. I have been going in circles with Support on this topic.
The other issue that correlates is device name recognition. SRM is poor with recognizing the name of a device. Another words, if I have a phone called "Test" and join it to my Wi-Fi, I will get a notification that Apple, Inc wants to join the Wi-Fi. If I have a Chromebook, SRM will called it Intel Corporation instead of the actual name.
It would be helpful to know the name of the device instead of a random name then I can manage the devices a lot better.
The other issue that correlates is device name recognition. SRM is poor with recognizing the name of a device. Another words, if I have a phone called "Test" and join it to my Wi-Fi, I will get a notification that Apple, Inc wants to join the Wi-Fi. If I have a Chromebook, SRM will called it Intel Corporation instead of the actual name.
It would be helpful to know the name of the device instead of a random name then I can manage the devices a lot better.
Create an account or login to comment
You must be a member in order to leave a comment
Create account
Create an account on our community. It's easy!
Log in
Already have an account? Log in here.
Similar threads
Welcome to SynoForum.com!
SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.
Registration is free, easy and fast!
Trending threads
-
NAS Compares Synology NAS COMPLETE PLEX Setup Tutorial (2024 SETUP GUIDE #5)- Started by NAS Compares
- Replies: 0
-
-
-
-
NAS Compares Synology NAS Complete Multimedia Setup Tutorial (2024 SETUP GUIDE #4)
- Started by NAS Compares
- Replies: 0
-
