In 2010, I used a Cisco EA2700 router behind an AT&T gateway, with the remote update turned off, and MAC address filtering for only three devices, two general purpose computing “towers,” and an iPod. While using this implementation, I began to theorize a Virtual environment, where a virtual router controls access to other (possibly even “virtual”) machines. I speculated that this would make penetration harder, by specifying the (updatable) MAC address of the virtual router as the only device authorized to pass traffic to the WAN, at the hardware router. Admins could still telnet in, to manage the virtual router, using the IP address and password, (such as managing whitelists and blacklists.) One could also specify MAC address filtering within the virtual environment. It’s obligatory to suggest that the virtual router is a different firmware model than the physical router. This might compare or contrast to a Bluetooth type pairing and bonding protocol. I think it actually improves things.
Added 09/20 – Upon consideration, the “Virtual” nature of the second router has no value. Normal routers already provide to clone MAC’s. Any remaining hope for improvement by this means, would depend on benefits from forcing data to tunnel between two routers. The idea would be that the outer router, (or gateway in most cases,) would recognize only the MAC of the inner router, while the inner router itself recognizes other internal MAC’s. The benefit derived would depend on how attacker exploits actually worked.