MAC Address Randomization — DHCP Pool Exhaustion and IP Conflicts

iOS 14+ and macOS 12+ (Monterey+) enable Private Wi-Fi Address by default on all Wi-Fi networks. This feature assigns a different randomly-generated MAC address per Wi-Fi network per day/week. On a home network with a small DHCP pool, each randomized MAC creates a new DHCP lease — the same physical device appears as multiple "clients" with different MAC addresses, exhausting the lease pool and causing IP conflicts.

Key Points

Apple devices generate a new random MAC per network by default — 7E:FE:CE:2E:68:84 appearing on 4 different IPs is the classic symptom of MAC randomization, not a rogue device
DHCP lease pool exhaustion: if the pool is small (e.g., 192.168.1.100–150, 50 addresses) and 2–3 Apple devices rotate MACs daily, the pool fills up — new devices get "no available address"
IP conflicts arise when a new lease is issued for an IP that a previously-DHCP-assigned device still considers its own (lease time vs rotation period mismatch)
Fix: disable "Private Wi-Fi Address" per network in Settings → Wi-Fi → ⓘ → Private Wi-Fi Address → Off; the device then uses its permanent hardware MAC for that network
DHCP reservation by MAC is incompatible with randomization — you cannot reliably reserve IPs for Apple devices unless randomization is disabled for that network

Details

How MAC Randomization Works on Apple Devices

Starting with iOS 14 (2020) and macOS Monterey (2021), Apple enabled per-network randomized MACs by default:

iOS/iPadOS: Settings → Wi-Fi → tap ⓘ next to network → Private Wi-Fi Address
macOS: System Preferences/Settings → Network → Wi-Fi → Details → Private Wi-Fi Address
Default: On — the device uses a "stable" randomized MAC for each network (same MAC per network until the setting is changed or the network is forgotten)
In newer iOS versions, the MAC may rotate periodically even for the same network (rotating vs stable random)

The randomized MAC starts with a locally-administered bit set in the second nibble: x2:, x6:, xA:, or xE: where x is any hex digit. The 7E: prefix in 7E:FE:CE:2E:68:84 is a locally-administered address — confirming this is a randomized MAC.

DHCP Impact

A home router's DHCP server allocates addresses based on MAC address — each unique MAC gets its own lease. When an Apple device rotates its MAC:

Previous lease (old MAC) remains active until it expires (e.g., 24h lease time)
Device connects with new MAC → gets a new lease (new IP)
Old lease is not released (device doesn't know to release it with the old MAC)
After enough rotations, the pool has N_devices × N_rotations active leases

With a 4-hour lease time and daily rotation: one iPhone creates 6 leases per day. With a 24-hour lease time and daily rotation: 2 leases per device per day (yesterday's + today's). Larger lease times reduce pool exhaustion but slow recovery.

Diagnosing the Problem

In the router's DHCP client list, look for:

Multiple entries with similar hostnames (iPhone, iPhone-2, iPhone-3)
Entries with locally-administered MACs (second nibble is 2, 6, A, or E)
One physical device showing up as 2–4 different "clients" simultaneously

# On the router (if SSH/CLI is available)
# Or in the web UI → DHCP clients list
# Look for multiple entries with the same hostname

The specific symptom from 2026-04-28: MAC 7E:FE:CE:2E:68:84 appeared on 4 different IP addresses in the DHCP lease table — one device with 4 different MACs from different rotation periods.

Fix: Disable Private Wi-Fi Address Per Network

iPhone/iPad (iOS/iPadOS):

Settings → Wi-Fi
Tap ⓘ next to your home network name
Scroll to Private Wi-Fi Address
Toggle Off
Reconnect to the network — device will use its permanent hardware MAC

Mac (macOS Ventura/Sonoma/Sequoia):

System Settings → Network → Wi-Fi
Click Details... next to your home network
Private Wi-Fi Address → set to Off
Click OK

Apple TV / HomePod: Settings → Network → Wi-Fi → select network → Private Wi-Fi Address → Off

After disabling on all devices, the router's DHCP lease table will consolidate to one lease per physical device. Old randomized-MAC leases will expire after the lease time.

DHCP Configuration Best Practices for Homelab

Setting	Recommendation	Why
Pool range	`192.168.1.100–199` (100 addresses)	Avoids overlap with static IPs (`1–99` reserved for servers)
Lease time	`24h` minimum	Too short = more frequent MAC rotation leases
Static reservations	By hardware MAC (after disabling randomization)	Reliable only with fixed MACs
Server IPs	`1–49` static (Proxmox, VMs, Docker)	Stable, never in DHCP pool

Specifically: reserve 192.168.1.48 for Proxmox, 192.168.1.71 for Immich, 192.168.1.225 for AdGuard — these should have static IPs or DHCP reservations, never dynamic addresses.

When Randomization Is Desirable

MAC randomization provides real privacy benefits on public networks (cafes, airports, hotels) — it prevents tracking across visits. For home networks where you control the router and want reliable DHCP reservations, disabling it is the correct trade-off. Most routers' "guest network" feature is the right privacy solution for home guests.

wiki/concepts/adguard-dns-rewrites-homelab — DHCP conflicts can break AdGuard DNS reservations if device IPs change
wiki/concepts/docker-lxc-dns-configuration — static IP assignment for LXC services to avoid DHCP-related address changes
wiki/concepts/proxmox-lxc-autostart — related: LXC containers should have static IPs for reliable DNS rewrites
wiki/homelab/_index — homelab network infrastructure context

Sources

daily/2026-04-28.md — MAC 7E:FE:CE:2E:68:84 appeared on 4 IPs in DHCP client list; identified as Apple MAC randomization; resolution: disable Private Wi-Fi Address on each Apple device for the home network; DHCP pool recommendation: 192.168.1.100–199, lease 24h+

6.4 KiB Raw Blame History Unescape Escape