Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to trust a device by MAC address coming from WAN

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 7 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Remember
      last edited by

      We hace some tablets the are cellular based and road around the country. We know the mac addresses of these devices and would like to setup an allow list so that SNORT will stop blocking them randomly. I see you can do that by IP but in our case the IP changes as they roam to new areas. How can we set the pfsense box to trust a mac address ?

      S johnpozJ JKnottJ A A 5 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Remember
        last edited by

        Are you able to install a dynamic DNS client on them? Then you could trust by hostname. pfSense will update aliases every 5 minutes I think. I don't recall Snort/Suricata but I am pretty sure it's come up before if you look through the IDS subforum.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Remember
          last edited by

          @remember mac address you would see on your wan is only ever going to be the device of the upstream your wan is connected too..

          The ddns is one way to do it, or you could just let these devices vpn in to pfsense..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          JKnottJ 1 Reply Last reply Reply Quote 1
          • JKnottJ
            JKnott @Remember
            last edited by

            @remember

            Pfsense will never see a MAC address for those devices. A MAC address is not passed by routers.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 1
            • JKnottJ
              JKnott @johnpoz
              last edited by

              @johnpoz

              Would a MAC address even make it through the VPN? No it wouldn't. There is no way pfsense can see the MAC address of a device that's beyond a router. A dyndns server wouldn't see the MAC address either. A MAC address does not make it off the local link, ever, unless carried as data.

              I'm really surprised at you on this one. I thought you knew better.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              johnpozJ 1 Reply Last reply Reply Quote 0
              • A
                akuma1x @Remember
                last edited by akuma1x

                @remember You have to do this a different way. Apple's iOS devices support IPSEC VPN connections right out of the box. Create an IPSEC VPN server on your pfsense box, turn it on, and connect your mobile devices thru the VPN. Then you can get at internal servers and services on your network. I do this at work with my iphone all the time and it works very well.

                If you're having trouble, I'll see if I can dig up some instructions.

                EDIT - Here, I quickly skimmed thru this video and it looks like how I set mine up a couple of years ago. Give it a try and see how it works.

                https://www.youtube.com/watch?v=TIqcNVsnLqk

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @JKnott
                  last edited by johnpoz

                  @jknott said in How to trust a device by MAC address coming from WAN:

                  I'm really surprised at you on this one.

                  who said anything about mac through teh vpn?? The point of the vpn is you have authed the client and you know who it is - never said anything about using mac after the vpn.. Doesn't matter what IP they are coming from - if they auth to the vpn, and should have the cert you issued them as part of the auth as well - your pretty freaking sure its your tablet, etc.

                  That you didn't understand that seems odd..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  JKnottJ 1 Reply Last reply Reply Quote 1
                  • JKnottJ
                    JKnott @johnpoz
                    last edited by

                    @johnpoz

                    Yeah, sorry about that. After I posted I realized I misread what you said. I know VPNs etc., can be used to authenticate, but I was still thinking about the original request to filter on MAC, which of course will not pass through a VPN. I guess I should have had another beer before I replied. ๐Ÿ˜‰

                    Still, there are a lot of people who seem to think both IP and MAC addresses reach the destination, including in this forum.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    bmeeksB 1 Reply Last reply Reply Quote 1
                    • bmeeksB
                      bmeeks @JKnott
                      last edited by bmeeks

                      @jknott said in How to trust a device by MAC address coming from WAN:

                      @johnpoz

                      Still, there are a lot of people who seem to think both IP and MAC addresses reach the destination, including in this forum.

                      Yep! And it makes me wonder about their other network security skills when they lack such basic understanding of how Ethernet IP networks operate ๐Ÿค”.

                      1 Reply Last reply Reply Quote 0
                      • A
                        ahsunh @Remember
                        last edited by

                        @remember dear sir please note suricata or snort are IDS scanners so its better use this on Lan side not on wan side to overload performance.
                        for mac trust use ovpn client and trust will be assured by binding mac on that OVPN ID or depends as per your need.

                        thanks

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.