The pfSense Store

Author Topic: how to block mac address?  (Read 5863 times)

0 Members and 1 Guest are viewing this topic.

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1220
  • Karma: +0/-0
    • View Profile
how to block mac address?
« on: August 17, 2011, 09:40:14 am »
usually commercial routers have a a mac address block feature where u can simply restrict mac address from accessing anything.

i can use static arp entries but then i would need to add all the mac ids to the list to which i want to provide access in order to just block a few of them, firewall rules can be sued but that then depends on ip address which can easily be changed by the client.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #1 on: August 17, 2011, 10:34:05 am »
You can block only if it passes through firewall, same as commercial routers

1) make some space high or low end of your dhcp pool.
2) assign ip address to this mac outside of pool
3) allow access every client except this outside pool area

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1220
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #2 on: August 17, 2011, 10:49:39 am »
what if the client manually specifies his ip address instead of following the dhcp assigned.

i have read older posts regarding the same topic but there seems no easy way of simply putting the mac ids in a list similar to how its available in routers so would that be possible if a bounty was posted?

Offline Nachtfalke

  • Hero Member
  • *****
  • Posts: 2753
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #3 on: August 17, 2011, 11:00:03 am »
The only way to MAC filter is - as far as I know - the captive portal.
You could add there all MACs that should have access. The other get redirected to the captive portal page.

But you say that the clients can change their IPs...then they can change their MAC addresses, too.

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1220
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #4 on: August 17, 2011, 11:13:10 am »
mac id changing is a bit tricky compared to an ip change so i doubt the client will do that, problem is the allow mac id list is huge so i cant add that to any list manually and usually clients keep adding newer devices such as phones laptops to the network, it would be easier for me to fish for the bad fishes and block them.

i wonder how they do it in routers

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2893
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #5 on: August 17, 2011, 04:09:01 pm »
"mac id changing is a bit tricky compared to an ip change"

Says who? Most windows nic drivers have it built right in to change the mac (local administered address), and linux is simple ifconfig command ifconfig ethX hw ether newmac

So not sure where you got the idea that its something all that difficult to do?

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1220
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #6 on: August 18, 2011, 12:16:21 am »
lets just assume they wont mess with the mac id, now is it possible to have something that filters mac ids based on a list similar to how the firewall rules work, meaning, filter traffic based on mac id before matching with firewall rules.

Offline mikeisfly

  • Full Member
  • ***
  • Posts: 254
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #7 on: August 18, 2011, 11:17:05 am »
You can setup a captive portal based on a username and password. There are many guides on how that is done. A captive portal will redirect everyone and once you are authenticated you won't be bothered by it anymore. Think about Wi-Fi at a hotel you stayed out. You can also add in expempt MAC for your servers and things. I think this is a better solution and you can add some terms of service that could protect you legally.

Offline xbipin

  • Hero Member
  • *****
  • Posts: 1220
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #8 on: August 19, 2011, 03:46:27 am »
im familiar with captive portal but i still prefer a simple list on adding mac ids to it would not get an ip or almost no communication with the firewall and would be simple enough for others to use also.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2893
  • Karma: +0/-0
    • View Profile
Re: how to block mac address?
« Reply #9 on: August 19, 2011, 07:01:13 am »
Ok Im am no expert for sure, but a simple google for mac filtering with ipfw, first thing I think that would have to happen is to turn on

sysctl -a | grep ether.ipfw
net.link.ether.ipfw: 0

I believe this has to be 1 to do layer 2 checks in ipfw??

I think once you set that then sure you could write your own rules.  I would suggest you put in a feature request if you want the gui to be able to do it, or start posting a bounty.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html