Imagine the following scenario: a small startup business (“Acme Networking”) wants to increase their security by posting a guard at their front door who only admits authorized employees. Because they don’t have a lot of money, and because they want to keep things simple, they tell the guard to block people who do not tell the guard that they work for “Acme Networking”.  The guard stands beside a door that has “Acme Networking” posted on it, and asks each person “Who do you work for?”

Pretty dumb security, isn’t it?   It would prevent someone from accidentally going through the Acme Networking door, but it wouldn’t stop someone who is trying to sneak in; they would just look at the door and say “Oh yes, well um, I work for Acme Networking of course.”

MAC address filtering is like the Acme Networking security guard because with it the router only allows communication with devices having a MAC address that the router has been told about, and because those MAC addresses are easy to see for anyone trying to sneak into the network.  The MAC address is included in communication with the router and the MAC address portion of the communication is unencrypted so anyone can see it even if they have not joined the wireless network. An "intruder" simply needs to change the MAC address on their computer to match one that they see being used on the network.

So although MAC address filtering prevents people from accidentally joining a network, it does little to prevent anyone from sneaking onto the network.

MAC address filtering causes problems because it obviously needs to be kept current. As each new device is added to the network, the new device’s MAC address needs to be added to the MAC address filter list. Any mistake in entering it prevents the new device from working correctly. And because MAC address filtering is not a standard WiFi feature, there is no mechanism to tell a device that it really hasn't joined the network because it was "filtered out". So the new device will think it is on the network but the router will be ignoring anything the new device sends to it, and the router won’t route any data to the new device.

Most people don’t manage their router settings on a daily basis, so it is easy to forget that MAC address filtering is being used, and others using the network may not be aware it is being used. If someone forgets or is unaware that MAC address filtering is being used and they try to add a new printer to the network, they will generally be confused and frustrated. They did everything right but the darn thing just won’t work.

This is why MAC address filtering is often deemed much more trouble than it is worth. In fact, it has been listed as one of “the six dumbest ways to secure a wireless LAN” by George Ou. (http://blogs.zdnet.com/Ou/index.php?p=43)

By the way, many recent HP inkjet printers include a Wireless Network Test that can be run from the printer front panel, with the results printed as a report. It includes many different checks of error conditions. If there are no indications of an error but the printer does not sense any network communication, it warns that MAC address filtering may be blocking communication.

Everyone needs to make their own choice when the balance security and convenience, but pros and cons of MAC address filtering should be carefully considered when setting up a wireless network for a friend or relative.  Are you really going to be doing them a favor by setting this up so that they have to deal with it later?