Android 10 issue with wifi connections solved

[restorer-john]

A previously connected device fails to re-connect to your secure wifi network after an Android 10 update.

Passwords are correct. WPA-WPA-2 etc is correct. Nothing has changed your end. Resets do nothing. WiFi is essentially dead or randomly works, very poorly jumping from one saved connection to another.

In desperation, you check your router logs and WLAN access requests are being denied from MAC addresses not on your white list. WTF?

Android 10 randomizes the MAC address it sends to the router for verification by default. You need to delete each saved wifi network on the phone, and add it manually, scroll down to "use randomized mac" and change it to "use device mac".

If you use MAC address filtering or/for device specific IP addresses on your network, this might help someone.

Phew. 1 hour of head scratching wasted. Hope it saves someone, somewhere that hour.

 

[Morla]

Or better yet.. do not use mac filtering at all in the first place. At least not for "allowing them on the net". macs are sent unencrypted over the air and can be chosen freely by any device.

Knowing the mac can be useful in a scenario where every participant is a friend in order to give out static ips via dhcp for example but surely not for anything security related.

Great finding tho. I wished they opted for randomized macs in public wifis onlY

 

[restorer-john]

Knowing the mac can be useful in a scenario where every participant is a friend in order to give out static ips via dhcp for example but surely not for anything security related.

Great finding tho. I wished they opted for randomized macs in public wifis onlY

Yes, that would make more sense than a blanket randomization.

I was about to roll back to Android Pie when I saw the random MACs being denied access. Allowed a random MAC and it worked, only to randomize it again a few minutes later. Apparently the MAC randomization was a dev option in Pie, now it's standard.

I use mac filtering for specific IP addresses for network hardware and mac access lists in conjuction with device IDs and WPA-2 passwords for both main networks and guest networks along with wireless isolation/network isolation.

I can then protect my network assets (my NAS, printers, LAN connected test gear, and main lab machines) from guests that just want simple internet access, I can let our boys use the other guest network that can access the printers (fixed IPs) and specific shares on the NAS and the entertainment can access the NAS, but read only, be it via wifi or direct. I can also port forward to specific MACs IP ranges for their gaming.

It also means I can make device specific choices on the levels of access and QoS and run it all from one router using 4 SSIDs (2x2.4GHz and 2x5GHz). I find routers are really dumbed down these days, compared to the security centric routers of old. Drayteks were wonderful in that regard, and Netgear really screwed the pooch when they took all the parental controls (and access controls) into the "cloud" with Netgear Genie.

My TOTL Asus router was a dog to make changes to (each minor change needed a full reboot taking ages...) I gave it to my parents as they have simple needs.

 

[Doodski]

Have you used the free Linux Smoothwall Express firewall @restorer-john
https://www.smoothwall.org/

 

[restorer-john]

Have you used the free Linux Smoothwall Express firewall

No. Never went with a PC based firewall. I like to keep the network simple in terms of hardware due to the fact we take a lot of lightning strikes around here. So if I find a good router, I buy a few of them and keep them for the next rainy (stormy) day. (save the config file and can quickly load it into an identical replacement and be up and running in a few minutes)

Tried to mess around with DDWRT but it was a pain finding the right version routers for the firmware builds and then finding more bugs than solutions.

 

[Doodski]

No. Never went with a PC based firewall. I like to keep the network simple in terms of hardware due to the fact we take a lot of lightning strikes around here. So if I find a good router, I buy a few of them and keep them for the rainy (stormy) day.

Tried to mess around with DDWRT but it was a pain finding the right version routers for the firmware builds and then finding more bugs than solutions.

Yeah, I used a Buffalo router with DDWRT built in and it was realllly complex. Half the stuff I had no idea what it was for. The SmoothWall pooders that I built where way better.

 

[Chromatischism]

Thank you for this. I always set static IPs for my devices and this would drive me crazy.

What is the advantage of phones doing this now?

 

[Morla]

Thank you for this. I always set static IPs for my devices and this would drive me crazy.

What is the advantage of phones doing this now?

It's a privacy feature. The mac historically was a global identifier of a net participiant. There always was a misconception of it being unique but it only has to be unique on a given layer 2 network. Devices actually can choose what mac they want to have. Just most devices stick to that one mac in their network card.

There used to be a serial number in pentium processors that were critized for the same reason.

One could build a database of those identifiers and do stupid things with it like tracking th
at guy commiting a thoughtcrime.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

Edward Joseph Snowden