Client isolation + PMF (+ WPA3?)

[chGoodchild]

1. Interface Modes and MAC Visibility:

   • In all standard WiFi modes (including AP, AP/VLAN), clients can typically see other clients' MAC addresses through:
   • Probe requests
   • Data frames
   • Management frames
   • Even in AP/VLAN mode, while traffic is segregated, MAC addresses remain visible

2. Possible Solutions:

a) Client Isolation
- Enable client isolation (also called AP isolation or guest mode)
- Configure through OpenWrt:
```bash
uci set wireless.@wifi-iface[0].isolate=1
uci commit wireless
wifi reload

b) MAC Address Randomization

• Enable client MAC randomization on the client devices
• Modern devices support this feature

c) Advanced VLAN Configuration

• Create separate SSIDs with individual VLANs
• Still doesn't prevent MAC address sniffing completely

d) Protected Management Frames (PMF)

• Enable PMF to protect some management frames

3. Additional Security Measures:

   - Use WPA3 if possible (provides better privacy)
   - Implement 802.11w (Protected Management Frames)
   - Consider using enterprise authentication (WPA2/3-Enterprise)

Remember: Complete MAC address privacy is difficult to achieve in WiFi networks due to the inherent broadcast nature of the protocol. The best approach is usually a combination of client isolation and encouraging client-side MAC randomization.

[chGoodchild]

Client isolation works and can be bypassed in the following ways:

How Client Isolation Works:

1. Layer 2 Filtering
- AP blocks direct client-to-client communication at layer 2
- Each client can only communicate with the gateway
- Implemented through MAC address filtering rules

2. Frame Control
- AP drops frames where:
  - Source = Client MAC
  - Destination = Another Client MAC
- Allows frames where:
  - Source = Client MAC
  - Destination = Gateway MAC or Broadcast/Multicast

Attack Vectors/Bypasses:

1. Passive Sniffing
- Monitor mode captures can still see:
  * Probe requests from clients
  * Authentication/Association frames
  * Management frames
  * Beacons containing connected client lists

2. Active Attacks
- Sending broadcast frames to elicit responses
- ARP requests/responses can reveal MACs
- DHCP discoveries/requests expose client MACs
- Protocol-specific broadcasts (NetBIOS, mDNS)

3. Frame Analysis
- Even with encryption, frame headers contain MAC addresses
- Management frames might be unencrypted unless PMF is enabled

4. Timing Analysis
- Traffic patterns can reveal client presence
- Frame sequence numbers can be tracked

Best Practices to Minimize Exposure:

1. Enable PMF (Protected Management Frames)
   - Encrypts some management frames
   - Reduces visible MAC information

2. Disable unnecessary broadcasts
   - Filter unnecessary protocols
   - Limit broadcast domains

3. Use WPA3 if possible
   - Better privacy protections
   - Enhanced management frame protection

4. Consider RADIUS MAC authentication
   - Centralized MAC control
   - Better tracking and control

Remember: Complete MAC privacy is nearly impossible due to WiFi's fundamental design, but combining multiple protection methods reduces exposure significantly.