I will point out that many routers have a 10 MAC address limit to their lists. My old WRT54GX Linksys router certainly did. It would let you insert 10 devices into the filter list until the configuration file failed to save, even though there were 20 boxes to fill in. I don't know about my current DD-WRT router.

Best bet would be to use WPA2-PSK AES encryption if you're looking to simply keep things locked down. Keeps unwanted devices off and it encrypts your data!

I understand the limitations of the MAC filtering. It is however a second layer on top of WPA2  I am currently using. Friends of my kids pretty often brings their gudjets to play in our house. To give them an access to the internet i tell them my WPA2 password and disable MAC filtering. After kids gone (with the gadgets and my password in them) I switch the MAC filtering back on. What would you suggest instead?

Why Verizon limits MAC filtering to 10 anyway?

Why not just set up another wireless router on the network, and give them that SSID? This should keep the networks seperate with different security for each?

I am not sure I understood your suggestion. How another router will help ? True, SSID and password will be different, but ones connected to the network you are in anyway.

Also, I do not think this is simpler than just increasing the limit of 10 to say 128 MAC addresses, not to mention the hassle with buying and installing another (third in my case) router.  Why is the limit of 10 anyway? What is the reason? Any explanations?

Mac address filtering is listed by zdnet as one of the six worst ways (they describe it as 'dumb') to secure a wireless network.  They also describe it is as being in the 'Wireless LAN security hall of shame'

http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43

---

 MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

---

it's best practice to simply use wpa2, and when they come over to simply change the password for the short time that they are there.

If you have a second router, you could get one that has a feature called guest network access. 

The ten limit is a default value that prevents arp attacks and mac flooding, two common attacks that are the biproduct of mac filtering. 

ok. Thanks all.