Firewalling MAC addresses

KomoriCodrutz

Hi.
Sorry to revive this more than 2-years old thread.
I registered on this forum just to reply about the need for the ability of filtering / blocking by MAC address.
I am by no means versed in networking, however I have a basic understanding of the principles and learned my way around in PFSense because for the most part, I find it an excellent solution for my homelab environment.
I won't go into the ipv6 debate, I am not at all familiar with the subject. However, I am a bit privacy and security-oriented and have a small dose of healthy paranoia.
I'm also not sure if this is the right place to address this , But here it goes, from a less technical user's perspective.
Here is a practical and basic scenario where this would be useful, :

1. Let's say you have your simple home network having both LAN and WLAN. Let's say someone has managed to crack your WiFi password. This means he now has unrestricted access (unless your WiFi AP has the ability to prevent it) to your entire network. If you have the ability to set rules by MAC Address, then you can either block any network access for that unknown MAC by denying an IP, or you can kick it into an isolated VLAN. In order to spoof a MAC on the intruder device, the intruder would have to make the extra effort of finding a MAC address which is allowed on your infrastructure and even so, there could be a feature which raises an alert and prompts for manual intervention if a duplicate MAC address is detected in your infrastructure. This would mean that even if somehow the intruder KNOWS your IP ranges and sets their IP manually, they would still be blocked from accessing the infrastructure.
2. Regarding the new random MAC feature on Android devices: In the same context of a small home network, if you trust an Android device, then you should also have that Android device trust your network. And the same modern Android devices give you the option to use the real MAC address for your particular network, therefore also successfully integrating into this concept. This will make a new connection a bit more complex, but if you're willing to go that route, you will also take this step.
3. A first additional layer of security which could be added would be an OS fingerprint feature on top of that. So if your known MAC address is an Android device, but the intruder uses a different OS, even if they manage to spoof the MAC address, it will kick them out. Let's say that they try emulating other OS fingerprints until they find the correct ones. If several such OS fingerprint changes are detected, then the device still stays kicked out.
4. A second additional security layer would be that, besides the fingerprinting, you could have some simple cross-platform client, which after connecting to the network, also provides some security key., known only to the firewall. This could also complement the already existing 802.1x security features if your switches support that, but also allow for better security for those of us who don't have the resources to invest in equipment with more advanced security.

Thus, you would be adding some additional control and complexity to even the simplest network setup, which will not necessarily block any and all attempts at infiltration, but definitely discourage an intruder by adding more layers to hack, therefore making it more difficult and time-consuming to infiltrate. This will, however, most likely stop the neighbour who was smart enough to find some tricks to hack into a WiFi and forgot to pay his internet provider and wants to use your internet.

On a small-scale home network, even in a homelab context, as these additional security featured would be implemented once for a particular device, they can be done manually.
I am sure that at an enterprise level, these can be centralised somehow.

Rant: Sorry if this may rub someone the wrong way, but if a project relies on its community for feedback and for useful feature requests which can be later incorporated into the paid version, which targets the corporate environment, features which are already being provided by other suppliers, but then it refuses those suggestions because they cannot be implemented quickly is not a particularly healthy attitude. I can see this also in other such mixed projects, like Nextcloud, but that's another story.
/rant.

As mentioned or hinted, I am not exceptionally technical and knowledgeable in this context. Perhaps I am not using the proper terms, but I hope that this post helps others who understand the technical parts better to drive the implementation of such features which nowadays should be considered common sense...

JKnott

@KomoriCodrutz

Since pfSense can only filter packets passing through it, it can do nothing to keep those MAC addresses off your local network. About the best you can do is only provide DHCP addresses to known MAC addresses.

Gertjan

@KomoriCodrutz said in Firewalling MAC addresses:

small dose of healthy paranoia.

Don't stay that way. Look at this forum, things that are discussed. It's all based on old technology, thrown together last century during the sixties, seventies and eighties, and that it.
What I'm saying : all this stuff can be learned pretty quickly.
Medecins that take care of people because they are ill, that is a real ongoing battle that already last for centuries, and will probably never go away.
Or flying to the moon, that is rocket science.
Not this stuff. Look I my mom, early eighty years old and she's surfing on the net, and no risks.
I've written 5 rules on a paper for her, and when she has a doubt, she'll read it, and everything is fine afterwards.
After all : all this Internet stuff exists in the human's mind (only). Go have a walk in the forest, or trip the main power switch in your house, and issues related to 'firewall' or 'MAC address' are gone.

Btw : You can't use things and not learning about them (first). This will apply as long as humans exist. Don't think that there is a short cut.

@KomoriCodrutz said in Firewalling MAC addresses:

Let's say someone has managed to crack your WiFi password

If you even think that is possible, why would you even use Wifi ??
If you have to use Wifi, put your access point in a Faraday cache, and insert your phone in the cache when you need to use the wifi. No one can hack the password, as no one can 'see' your wifi.
What I mean is : don't protect things with things you don't 'manage'. Use the methods that simple an sure.

@KomoriCodrutz said in Firewalling MAC addresses:

If you have the ability to set rules by MAC Address

pfSense has you covered.
This is probably what you are looking for https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html
I'm pretty sure these Etherrnet rules aren't used very often.
Maybe some 'comfort' rules could be created, but don't use them to enforce security.
As soon as a human can read and write (5 years or so ?) they can change their MAC address of their device ...

If the encrypted Wifi is that badly protected (your first phrase) then the hacker could see the MAC addresses going over the wire, and see which ones are 'communicating'.
10 seconds later he spoofed his MAC, and he is in.
So MAC filtring ? => >I see that as a no go.

@KomoriCodrutz said in Firewalling MAC addresses:

added would be an OS fingerprint feature on top of that.

True, packets contain a lot of very (world's most ?!) documentation data.
There are all kind of bits used to flag many posibiliies, and teher are also some semi random generated number to indicate packet sequences.
These semi random numbers could - in the past - indicate what OS is being used.
That situation is pretty much gone now.
Or do you still have a phone with on unknown obscure non updated OS hanging around ? ^^ Or a Windows 95 PC ?

@KomoriCodrutz said in Firewalling MAC addresses:

but definitely discourage an intruder by adding more layers to hack, therefore making it more difficult and time-consuming to infiltrate

Let's see this from two extreme side :
You're like everybody else.
No one is going to use 'big' resources to get your stuff. And if they need it, they will come over physically, bad things will happen, and the info is out there.
But if you really hide the digital print info to make 100 dollar bill, then yeah, you will get focused, physically, and electronically.

I've still some good news for you : apply an very ancient behavior, that works well for many centuries now : don't do on the Internet what you wouldn't do at home neither. Or what you wouldn't be happening to you.
Do that, and you'll be safe.

pfSense, as soon as it was installed, is already safe enough to run a bank (the company) on it LAN's. My opinion of course, but you get the picture.
Things can (will !) go bad because the admin starts to 'do' things with it (that he didn't really understand in the first place).
It's like a plain : you just bought a your own Boeing 737-Max, but if you didn't learn to fly the damn thing, it's game over (don't even try it). Walking isn't' that bad ^^

Btw : the first thing I always have done with my Wifi access points : I removed the password. I'm not joking.

Nick Wollman

Guys, just go check out ADAM:one from the adam networks team. Install it on your pfsense box, and take control of your network, with full l2 visibility to each endpoint. You can have a default deny all policy for new devices (MACs) and you can also just not allow random macs, although this can be done natively in pfsense. If people spoof a mac, they will just be an unknown device, with no access to what they shouldnt have.

go read this article, the guy who founded adam networks replies to the thread at the end.
https://forums.lawrencesystems.com/t/convert-pfsense-into-l7-fw-adam-networks/19226

Laxarus

Re: Firewalling MAC addresses
I came across this post while trying to find a way to exactly do this since ipv6 is giving me headache when trying to set up firewall rules.

I had to setup ipv6 due to IoT Matter requirements since they did not work properly without ipv6. Otherwise, I had zero intention to setup ipv6 since my ISP provides only ipv4.
Since then, setting up similar firewall rules was a big headache for me with some clients totally ignoring DHCPv6 or renewing their SLAAC addresses.
Using DNS is also a headache without proper stable ips.

I see that unifi routers have this exact feature despite falling short on many features compared to pfsense. I also get that freebsd has some limitations regarding mac filtering.

Then, I am guessing moving to the linux kernel is just what we need for this specific feature to be implemented.
https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel

Any thoughts regarding this?

SteveITS

@Laxarus It’s already in pfSense Plus, doc page above.

patient0

@Laxarus said in Firewalling MAC addresses:

Then, I am guessing moving to the linux kernel is just what we need for this specific feature to be implemented.
https://www.netgate.com/blog/pfsense-software-embraces-change-a-strategic-migration-to-the-linux-kernel

That was posted on April 1 2024, it is an April fools day thing. A move to Linux for pfSense is not going to happen.

SteveITS

@patient0 said in Firewalling MAC addresses:

That was posted on April 1 2024, it is an April fools day thing. A move to Linux for pfSense is not going to happen.

https://forum.netgate.com/post/1212652

patient0

@SteveITS said in Firewalling MAC addresses:

https://forum.netgate.com/post/1212652

Yes, I did see that and it does not help my argument at all :o)

Laxarus

@patient0 Ugh, this is embarrassing /:()