Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block mac address?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    10 Posts 5 Posters 18.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xbipin
      last edited by

      usually commercial routers have a a mac address block feature where u can simply restrict mac address from accessing anything.

      i can use static arp entries but then i would need to add all the mac ids to the list to which i want to provide access in order to just block a few of them, firewall rules can be sued but that then depends on ip address which can easily be changed by the client.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        You can block only if it passes through firewall, same as commercial routers

        1. make some space high or low end of your dhcp pool.
        2. assign ip address to this mac outside of pool
        3. allow access every client except this outside pool area
        1 Reply Last reply Reply Quote 0
        • X
          xbipin
          last edited by

          what if the client manually specifies his ip address instead of following the dhcp assigned.

          i have read older posts regarding the same topic but there seems no easy way of simply putting the mac ids in a list similar to how its available in routers so would that be possible if a bounty was posted?

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            The only way to MAC filter is - as far as I know - the captive portal.
            You could add there all MACs that should have access. The other get redirected to the captive portal page.

            But you say that the clients can change their IPs…then they can change their MAC addresses, too.

            1 Reply Last reply Reply Quote 0
            • X
              xbipin
              last edited by

              mac id changing is a bit tricky compared to an ip change so i doubt the client will do that, problem is the allow mac id list is huge so i cant add that to any list manually and usually clients keep adding newer devices such as phones laptops to the network, it would be easier for me to fish for the bad fishes and block them.

              i wonder how they do it in routers

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                "mac id changing is a bit tricky compared to an ip change"

                Says who? Most windows nic drivers have it built right in to change the mac (local administered address), and linux is simple ifconfig command ifconfig ethX hw ether newmac

                So not sure where you got the idea that its something all that difficult to do?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • X
                  xbipin
                  last edited by

                  lets just assume they wont mess with the mac id, now is it possible to have something that filters mac ids based on a list similar to how the firewall rules work, meaning, filter traffic based on mac id before matching with firewall rules.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mikeisfly
                    last edited by

                    You can setup a captive portal based on a username and password. There are many guides on how that is done. A captive portal will redirect everyone and once you are authenticated you won't be bothered by it anymore. Think about Wi-Fi at a hotel you stayed out. You can also add in expempt MAC for your servers and things. I think this is a better solution and you can add some terms of service that could protect you legally.

                    1 Reply Last reply Reply Quote 0
                    • X
                      xbipin
                      last edited by

                      im familiar with captive portal but i still prefer a simple list on adding mac ids to it would not get an ip or almost no communication with the firewall and would be simple enough for others to use also.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Ok Im am no expert for sure, but a simple google for mac filtering with ipfw, first thing I think that would have to happen is to turn on

                        sysctl -a | grep ether.ipfw
                        net.link.ether.ipfw: 0

                        I believe this has to be 1 to do layer 2 checks in ipfw??

                        I think once you set that then sure you could write your own rules.  I would suggest you put in a feature request if you want the gui to be able to do it, or start posting a bounty.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.