Disable Wi-Fi IPv4/IPv6 for Ethernet-Only Security | MacOS Defense

🔒 Disable Wi-Fi IPv4/IPv6

Ethernet-Only Security Configuration

Disable Wi-Fi completely and restrict IPv4/IPv6 protocols to prevent wireless attacks when using Ethernet-only connections. Essential for high-security environments and targeted surveillance scenarios.

⏱️ 10 minutes 🟡 Intermediate 🔐 High Security

⚠️ Why Disable Wi-Fi Protocols?

Even with Wi-Fi turned off, your Mac can still be vulnerable to wireless attacks. Disabling IPv4 and restricting IPv6 to link-local only ensures that even if Wi-Fi is accidentally enabled, it cannot route internet traffic.

This configuration is essential for users under targeted surveillance, working in high-security environments, or anyone who wants to force all internet traffic through a wired Ethernet connection.

Why This Matters

When you're using Ethernet for internet connectivity, Wi-Fi becomes an unnecessary attack surface. Even if you turn Wi-Fi "off," the protocols can still be exploited. This guide shows you how to:

🚫 Completely disable Wi-Fi at the system level
🔒 Disable IPv4 on Wi-Fi to prevent any IPv4 traffic over wireless
🔐 Restrict IPv6 to Link-Local Only (no internet routing over Wi-Fi)
🛡️ Require admin password to change Wi-Fi settings
🎯 Force all traffic through Ethernet for maximum security

💡 Understanding IPv4 vs IPv6 Restrictions

IPv4 OFF: Completely disables IPv4 protocol on Wi-Fi interface - no IPv4 traffic possible

IPv6 Link-Local Only: Restricts IPv6 to local network discovery (fe80::/10 addresses) - no internet routing

This dual restriction ensures that even if Wi-Fi is accidentally enabled, it cannot be used for internet access.

When to Use This Configuration

This setup is recommended for:

🎯 Users under targeted surveillance (nation-state actors, stalkerware)
🏢 High-security work environments requiring wired-only connections
🏠 Home office setups with dedicated Ethernet connections
☕ Public spaces where you want to use Ethernet dongles only
🔐 Any scenario where wireless attack surface must be eliminated

⚠️ Before You Begin

Make sure you have a working Ethernet connection before proceeding. Once you disable Wi-Fi protocols, you will not be able to use Wi-Fi for internet access without reversing these changes.

You will need your admin password to make these changes and to re-enable Wi-Fi in the future.

Step 1: Open System Settings

1 Click the Apple menu () in the top-left corner

Select System Settings

Step 2: Search for Wi-Fi Settings

2 In the System Settings search bar, type "wifi"

Click on Wi-Fi in the search results or left sidebar

Step 3: Turn Wi-Fi OFF

3 Toggle the Wi-Fi switch to OFF

You should see "Wi-Fi is off" with a red dot indicator

✅ Wi-Fi is Now Disabled

Your Mac will no longer connect to Wi-Fi networks. However, we need to configure the protocols to prevent accidental re-enabling from being exploited.

Step 4: Configure TCP/IP Settings (CRITICAL)

4 Click the "Advanced..." button in the Wi-Fi settings

Select the TCP/IP tab

Set Configure IPv4 to "Off"

Set Configure IPv6 to "Link-Local Only"

Click OK to save

TCP/IP configuration with IPv4 OFF and IPv6 Link-Local Only (annotated)

🔐 This is the Most Important Step

IPv4: Off - Completely disables IPv4 protocol on Wi-Fi. No IPv4 traffic can flow over wireless.

IPv6: Link-Local Only - Restricts IPv6 to local network discovery only (fe80:: addresses). No internet routing possible.

Even if Wi-Fi is accidentally turned back on, these protocol restrictions prevent it from being used for internet access or attacks.

Step 5: Review Hardware Settings (Optional)

5 In the Advanced settings, click the Hardware tab

Note your Wi-Fi MAC address for reference

Keep Configure: Manually and MTU: Standard (1500)

Wi-Fi Hardware settings showing MAC address

📝 Note Your MAC Address

Your Wi-Fi MAC address is useful for network auditing and troubleshooting. Write it down for your records, but remember to blur it in any screenshots you share publicly.

Step 6: Require Administrator Authorization

6 Back in the main Wi-Fi settings, look for "Require administrator to" options

Enable "Change networks" (toggle to blue)

Enable "Turn Wi-Fi on or off" (toggle to blue)

Click Done

Require administrator authorization settings (annotated)

✅ Wi-Fi is Now Locked Down

Your Mac now requires an administrator password to:

Turn Wi-Fi on or off
Change Wi-Fi networks

This prevents unauthorized changes to your Wi-Fi configuration, even if someone gains physical access to your Mac while unlocked.

Step 7: Review Known Networks (Optional)

7 In the administrator authorization dialog, scroll down to see Known Networks

Review the list of networks your Mac has connected to in the past

Consider removing untrusted or unknown networks by clicking the ⓘ icon and selecting "Forget This Network"

Known Networks list showing saved Wi-Fi networks (annotated)

⚠️ Review Your Known Networks

Your Mac remembers every Wi-Fi network you've ever connected to. This list can reveal your location history and potentially be exploited.

Recommendation: Remove any networks you no longer use or don't recognize, especially:

Public Wi-Fi from coffee shops, airports, hotels
Networks from previous residences or workplaces
Any network you don't recognize

Verification

To verify your configuration is working correctly:

Confirm Wi-Fi toggle shows "Wi-Fi is off" with red dot
Verify you can still access the internet via Ethernet
Try to turn Wi-Fi on - you should be prompted for admin password
If you turn Wi-Fi on temporarily, verify no internet access (due to protocol restrictions)

✅ Configuration Complete

Your Mac is now configured for Ethernet-only internet access with Wi-Fi protocols disabled. All internet traffic will flow through your wired connection only.

Security Benefits

This configuration provides multiple layers of protection:

🚫 Eliminates wireless attack surface - No Wi-Fi means no wireless vulnerabilities
🔒 Prevents protocol-level exploits - IPv4/IPv6 restrictions block traffic even if Wi-Fi is enabled
🛡️ Stops accidental connections - Admin password required to change settings
🎯 Forces Ethernet-only traffic - All internet access goes through wired connection
🔐 Protects against Wi-Fi attacks - KRACK, evil twin, deauth attacks are impossible

Troubleshooting

I can't access the internet

Make sure your Ethernet cable is connected and your router/switch is working. Check System Settings → Network to verify Ethernet is connected and has an IP address.

Wi-Fi keeps turning back on

Verify you enabled "Require administrator authorization to Turn Wi-Fi on or off" in Step 6. This prevents unauthorized changes.

Some local services don't work

IPv6 Link-Local Only allows local network discovery (AirDrop, AirPlay, printer discovery) to work on the same network. If you need these services, they should still function over Ethernet.

I need to use Wi-Fi temporarily

You can re-enable Wi-Fi, but you'll need your admin password. To restore internet access over Wi-Fi, you'll also need to:

Go to Advanced → TCP/IP
Set "Configure IPv4" to "Using DHCP"
Set "Configure IPv6" to "Automatically"
Click OK and connect to a network

How do I reverse these changes?

To restore normal Wi-Fi functionality:

Enter your admin password to access Wi-Fi settings
Turn Wi-Fi ON
Go to Advanced → TCP/IP
Set IPv4 to "Using DHCP"
Set IPv6 to "Automatically"
Disable "Require administrator authorization" if desired

💡 Defense in Depth

This Wi-Fi restriction is one layer of a comprehensive security strategy. Combine it with:

LuLu Firewall - Outbound connection control
Murus Firewall - Network-level packet filtering
macOS Built-in Firewall - Inbound connection blocking
VPN - Encrypted tunnel for all traffic

Quick Links

Case Studies

Video Library

Defense Guides

About AIMF

About