Block clients by MAC?
-
On one of my VLAN's I would like to have an allow list of a few MAC addresses that may connect.
In the DHCP server config I have "MAC address control" but this only creates a list of allow MAC addresses that can connect through DHCP.
But what about clients that use a static IP? I would like to block these as well.Is there any way to do that?
-
If you setup static arp.. Then pfsense will only talk to devices that are in your static arp table. Does not matter what the client does.. Pfsense will only talk to devices that are in its arp table.
-
Thanks John for the prompt answer!
I can do that. But all clients will have static assigned IP addresses that way right? -
Yes you would have to setup reservations for all the clients you want to use pfsense be it they use them or not. But if you want the clients to pull an address from a pool you can do that as well. I think maybe this is what your after. So you can create the reservation/static mapping - but leave out the IP. This way client will get an address from the pool, and their mac will be listed in the arp table and pfsense and they would be able to talk to pfsense. But if client just setup and their own static IP and didn't get a IP from the dhcp server they would not have that IP in the static arp entry so would not be able to talk to pfsense.
Can you give an example scenario of that your trying to stop/prevent exactly.. And then we can work out if what your trying to accomplish can be done and how, etc.
Keep in mind pfsense is a Layer 3 firewall, its rules are based upon IP address - you can not create rules based upon layer 2 info (mac address).
-
Ok, I understand what you are saying now.
Reservations are ok for me.What I want:
For a particular VLAN I only want a few clients to be able to use this VLAN.
So for instance if someone switched to a different port on the switch and that port is configured with this particular VLAN I want the client to be blocked.
If a "whitelisted" client does this I want it to have access to the VLAN.I hope it's a bit clear? English is not my native language so trying my best to explain myself. :)
-
Depending on the switch, you might be able to allow only specific MACs with a port. Cisco Catalyst switches support this.
-
If you setup static arp.. Then pfsense will only talk to devices that are in your static arp table. Does not matter what the client does.. Pfsense will only talk to devices that are in its arp table.
I have setup static arp and created some entries.
After that I tested a few scenarios.Is it the following correct when static arp is enabled:
- Clients that are not listed will get a configuration through DHCP but are not able to "talk" on the interface?
- Clients that are not listed and have setup a static IP address (within the range) are not able to "talk" on the interface?
Futher more I could activate "Deny unknown clients - Only the clients defined below will get DHCP leases from this server".
If I activate this DHCP will be disabled for unknow clients right? So they won't get an IP address from the DHCP server if they are not listed?Depending on the switch, you might be able to allow only specific MACs with a port. Cisco Catalyst switches support this.
At the moment I have a simple TP-Link (managed) switch. Unfortunately this switch is not capable of doing that. Thanks for the heads up though!
-
which tp-link switch do you have?
Sounds like to me your looking for a NAC or NAP setup.. If your wanting to prevent users from plugging into a port and get on a different vlan to circumvent access. Packetfense would be free way to set good NAC.. https://packetfence.org/
-
I have not played with the static arp setting. But if you do not deny clients - then quite possible they would get dhcp. But after that there would be no arp setting for them so they wouldn't be able to talk to pfsense. If you don't want them getting a dhcp IP then deny them.
-
correct static arp would prevent this.
Keep in mind known hosts are known hosts be it they are in vlan A or vlan B.. So lets say you setup a reservation for host in vlan A.. If he moves his box over to vlan B - he would get an IP from vlan B.. Now if that is locked down with static arp and different macs.. Not exactly sure what would happen?
How exactly are users moving ports? They are moving to a different "cube" or something and unplugging the machine there and plugging in? Is the switch room open? And anyone can just go move their machine cable to different port?
-
-
Thanks John, it's clear to me now. Many thanks!
I'll have a look at Packet Fence but I think the setup I have now (static ARP) is feasible!TP-Link TL-SG108E
Keep in mind known hosts are known hosts be it they are in vlan A or vlan B.. So lets say you setup a reservation for host in vlan A.. If he moves his box over to vlan B - he would get an IP from vlan B.. Now if that is locked down with static arp and different macs.. Not exactly sure what would happen?
I have checked this and it seems to be working ok.
One (test) machine has been setup with static arp on one interface and get a static lease and is allow to talk to pfSense.
Unplugged the machine and put it in a different port with a different vlan (with and without static lease) and it works.
So it should be good to go.At the moment no one is moving ports, I just want to be sure. ;)
-
Yeah I picked up a tl-sg108 for testing since many users here have them.. While it can vlan at very cheap.. That is about the only nice thing I can say about them ;) They seem to have a big cosmetic issue with tag packets logging errors. You can not remove vlan 1 from the interfaces.
Is this a just a home network?? I can not see that switch being used in any sort of work network. Maybe as a desktop switch when someone needs a extra port or 2 in their cube?
If just a home network - do you have smart kids that could move the ports ;) Worried about someone moving ports in a home setup seems a bit over the top… If your going to want to play with packetfense your going to need a better switch ;) The sg300 seems to work with it - but not officially on the supported list.. As one example.. So if you have your eyes on using it - check their forums for what other hardware can be used that is not on the list that might be better suited for the cheaper home switches.
-
Hahaha yes I'm a paranoid dad. 8)
Indeed it's an home network. -
Yeah I picked up a tl-sg108 for testing since many users here have them.
I bought an SG105E last summer to use as a "data tap". I have port 1 configured to mirror port 2. I then connect a computer running Wireshark to port one and the connection passing through port 2 and any other free port. Works well in this situation.
I agree TP link gear can be flakey (pardon the technical jargon <g>). I have a TP-Link WA-901ND access point, which supports VLANs and multiple SSIDs. However, one "feature" is stuff leaks from the main LAN to the VLAN, so a device on the 2nd SSID might get an address from the main LAN. If it wasn't for that issue, it would be a great access point, as it uses PoE.</g>
-
Yeah that sort of use at 30$ would be well worth it. Its not a bad little switch for home/lab use and the money. Seems to be made nice, metal case and all. And it hasn't flaked out on me as of yet. Had an old netgear gs108t(v1) that now and then would just loose its config..
I grabbed both the netgear gs108e and the tplink sg108e to test with and know how they work since they seem to be very common here on the forums. So it helps in being able to actually test and see the interface when users have questions.
But wow are they lacking on features - vlans is about it.. Seems the zyxel line seems to be getting some play as well. Might pick one of those up to have in the lab as well since they are also really reasonable priced and seem to have more features but only few dollars more. Even the poe one is only like $70
