Alias by mac address?
-
With the ASUS Routers, it is possible to name devices based on their mac address. The benefit of this is that when it comes time to apply firewall rules, one doesn't have to know what the current ip address is of the device – it can remain dynamic.
So far with pfsense, the only way I can name devices is through aliases, but that requires that the ip address be fixed. Is there a way to mirror what the ASUS router does?
-
i dont think so.
aliasses are designed to work with pf. pf does not support mac filtering. setting fixed dhcp leases is you best way to do what you want -
You could create aliases using FQDNs and have the DHCP server update DNS.
Not sure what the update frequency would be.
-
i dont think so.
aliasses are designed to work with pf. pf does not support mac filtering. setting fixed dhcp leases is you best way to do what you wantThe ASUS routers runs linux, which means they uses iptables for filtering. When I've listed the rules, they've only been ip address type rules. This means that there is additional software doing the translation from mac to ip at some point.
I guess I'll post this in the feature request area. :)
-
@tantamount you can achieve this effect easily enough by creating a Static DHCP mapping. Just map the MAC address to a specific IP address in the DHCP server settings area, then just use IP addresses. It has the same effect in the end in that you can make preferences to a specific device as based on a MAC address, thereby not needing to statically assign addresses on the client.
-
As @Derelict said as long as pfSense can resolve them you can just use the hostnames directly in an alias. As long as you have enabled 'DHCP Registration' in the DNS resolver that will be true.
I would not use that for a large network though or anywhere that dhcp leases change often as the filterdns updates might lag behind those changes with unexpected results.
Steve
-
IPtables can do MAC filtering.
Several years ago, at a Linux user group, a presenter thought he could use it to filter someone elsewhere from his network. I had to correct him and advise him he would never see that MAC address.
-
Just block everything coming via the same router.