How to block an IP address or Mac address

invoker

Hello sir is it possible to block an ip address from accessing the internet for example i want to block the ip of a client from the internet

but my configuration is in DHCP is it possible or how can i block a specific IP from my network via pfsense firewall

stephenw10

Sure you can add a firewall block rule with a single IP address as the source.

You can a DHCP static mapping to be sure that client always gets the same IP address.

Steve

invoker

@stephenw10

do you have the steps sir?

for example i static mapping the IP on a certain device it does not have an issue? even they are trying to using static IP?

johnpoz

@invoker There is a bit of a difference in blocking an IP, and the user of said device trying to circumvent that block by changing their IP and or mac address.

Plus version has the new L2 filtering, so you could block on mac. But mac is also changeable, so they could always change their device mac and get a different IP then what you reserve for them, and circumvent any specific IP or mac address block.

You could use static arp - so pfsense wouldn't even talk to their device unless it was using a specific IP and mac address. This can prevent them from changing their mac to get a different IP, etc.

The best thing to do if you want to stop users from changing IP or mac to circumvent your rules based on those is to put them in their own vlan where doesn't matter what the source IP is or their mac address.

Specific based rules per IP or mac are normally better suited for when you have a locked down vlan, but yet you might have a device you use on that vlan.. Say a wireless network, and you sometimes connect your phone or tablet to that wifi and what the IP you reserved for your devices to have more access than the normal vlan does. This way for someone to circumvent the rules they would have to know the specific IP that has the allow rule set for it.

stephenw10

If a device set's it own static IP address then the rule would not apply. You can set a static ARP entry so that MAC address will only work with DHCP (or statically set to the same IP). A client could still potentially spoof their MAC address though.

Gertjan

@invoker
Added to what has been said above :

This DHCP server option :

will only allow the DHCP server to answer to DHCP requests to know (static lease setup with a known MAC ) device.

Then add all thehe known MAC addresses to this firewall list :

and block all the unknown "others".

From this point on, some one can gain access only if they know the list of allowed MACs.

The next step is far more drastic - or actually way more simple :
"Do no allow people on your network that you don't want on your network".
You can enforce this by 'cutting the cable' or create that 'very difficult Wifi password' and don't give it to anyone.

Anyway, I thought all this was a non issue, but then I saw this video, and I'm still not sure if its all fake/ just a humor video :

stephenw10

Yeah.
I think it's fake but it's sufficiently well done you can never be sure!

johnpoz

@stephenw10 hahah - that could be staged, but it wouldn't be unthinkable that was a legit conversation... I take it that was some video off his doorbell camera or something.

Pretty funny either way. But more funny if actually legit conversation.