Implementing a device white list with dnsmasq

I got teenagers. They have devices. Their friends have devices. All of which want to be on my WiFi. Unfortunately, the WiFi has some valuable work-related machines, too. And because of WPA shared passwords, there’s little one can do as a parent to prevent the sharing of WiFi passwords “just with my best friend” (of the week) or the malware-infected device of the day.

Or is there? Fortunately, none of them know very much about networks. So the following trick works, given that I run my own UBOS-based home router, which runs dnsmasq for DHCP and DNS.

In /etc/dnsmasq.d/50-setup.conf, add this line:

dhcp-ignore=tag:!known

In /etc/dnsmasq.d/60-network.conf, list all the approved devices (your white list), like this:

dhcp-host=00:11:22:33:44:55 ,  appletv , 192.168.2.3, set:known
dhcp-host=11:22:33:44:55:66 ,  laptop  , 192.168.2.4, set:known

where 00:11:22:33:44:55 is the Mac address of the connecting network interface of an allowed computer (WiFi, or it also works for Ethernet), followed by the name of the device, the IP address that it is supposed to get, and the tag that identifies it as member of the white list.

Then, restart the daemon:

sudo systemctl restart dnsmasq

and only approved devices will get an IP address. Security by obscurity? Yes, but much better than not doing it, and practice shows it works for this particular set of customers :-)