Deny new clients from connecting

Hello everyone,

I was wondering if it’s possible to automatically deny new devices connecting to your network.

What I mean by this is, when someone first connects, they have no Ethernet access, until I verify their connection (basically blocking all mac addresses, and only when I verify the device, name it & give it a static IP, it’s allowed to access the Ethernet).

This is mainly to avoid clients from mac spoofing & bypassing filters, or hiding their device names in system log.

Hope someone can point me to the right direction, would be awesome to set this up!:smile:

1 Like

Does this feature meet your needs?

Preset policies in the “Clients” page to block WAN or limit speed by default for all devices using randomized MAC addresses.
We are considering adding it in version 4.1.


Please add it. I also recommend this. I really want this feature. :+1:

Can it be for any new client?

1 Like

For now I think It only for MAC Randomization. Users shouldn’t expect this restriction to prevent malicious intrusions.

But we are also adding parental controls to our develop schedule that can manage all devices.

1 Like

Yes, that would be absolutely perfect!:smile::pray:

I think this possible by appending rules in LuCI → Network → Firewall → Firewall - Traffic Rules:

  1. Accept your Source MAC address list from Source zone LAN to Destination Zone this device
  2. Drop or Reject all other traffic from Source zone LAN to Destination Zone this device

The Randomized MAC address Device Preset would be a useful feature for some people, but may not prevent new clients connecting with non-randomized MAC addresses, if the feature only checks for a specific 2nd digit of 2, 6, A, or E in the MAC address.

I do not work for and I do not have formal association with GL.iNet

1 Like

Agreed. It should be made for all new clients connecting to the router, this would cover randomized Mac and new clients . Much cleaner.

1 Like

Due to scheduling (our new product will be pre-installed with version 4.1), the relevant features will be unified in the parental control module of version 4.2.
In Parental Control, users can block all new incoming devices to access the Internet.


To automatically deny new lead enrichment to your network until you verify their connection, you can employ several methods depending on your network setup and the devices you are using. Here are a few options you can explore:

  1. Most routers allow you to configure MAC address filtering, where you can specify a list of allowed MAC addresses that can connect to the network. By default, you can set the router to deny access to any MAC address that is not on the allowed list. When a new device connects, you will need to manually add its MAC address to the allowed list to grant access.

  2. NAC solutions provide enhanced control over network access. They typically involve an authentication mechanism that verifies the identity of connecting devices before granting access. NAC solutions can integrate with existing network infrastructure and offer more granular control over access policies.

  3. A captive portal is a web page that is displayed to newly connected devices before they are granted access to the network. You can set up a captive portal that requires users to provide additional information or undergo a verification process before they are allowed access to the network.

  4. If you have a router that supports guest network functionality, you can create a separate network for new devices to connect to. By default, the guest network can have restricted access or no internet connectivity at all. Once you verify a device and assign it a static IP, you can move it to the main network with full access.