Feature Request: MAC Address ACL

SEMIJim

We're operating a captive portal for business guests, running pfSense on a Netgate m1n1wall.  Works great.

I have but one problem, and that's more one of ease-of-use than anything else.

I don't want employees using the thing to do an end-run around the corporate firewall.  What I've been doing is entering their laptop's wireless MAC addresses into the AP that's on the the m1n1wall's LAN port.  But it's a clumsy interface and I actually have to do that using the guest WiFi–which is unencrypted.  It would be much more convenient to be able to do this as part of the captive portal configuration.

So that's my feature request: A MAC address ACL for the captive portal.

Thanks,
Jim

GruensFroeschli

Isn't that what the "MAC passthrough" list does?

SEMIJim

@GruensFroeschli:

Isn't that what the "MAC passthrough" list does?

Unless I'm misunderstanding the meaning of "passthrough" and the description is way wrong: No.  MAC passthrough simply bypasses the captive portal login/authentication phase entirely.

I would like an ACL, to prevent employees using it entirely.

Jim

GruensFroeschli

Ah so you don't want to allow communication with unregistered clients at all.

For this you can go to "Services –> DHCP-Server"
Go to the Tab on which you want to restrict access based on MAC.
Enable the option "Static ARP".
Now only devices which have their MAC registered below will be able to communicate with the NIC on which this DHCP server runs.

SEMIJim

@GruensFroeschli:

Ah so you don't want to allow communication with unregistered clients at all.

No.  Just the opposite: I want to allow use by all but a list of clients.

Again: It's a guest wireless facility.  I don't want employees using it to do end-runs around the corporate firewall.

Jim

GruensFroeschli

Ah now i get it.

Well you could use the DHCP server to accomplish something like that.

Create static IP mappings for all "known" devices.
All unknown devices will get an IP out of a dynamic range.
All know devices have a static IP in a predefined range.

Now create a firewall rule allowing the dynamic IPs and block the static IPs.

(In advance: The argument that someone could just change their IP manually is invalid, changing one's MAC is as easy as changing the IP).

SEMIJim

@GruensFroeschli:

Ah now i get it.

Well you could use the DHCP server to accomplish something like that.

Create static IP mappings for all "known" devices.
All unknown devices will get an IP out of a dynamic range.
All know devices have a static IP in a predefined range.

Now create a firewall rule allowing the dynamic IPs and block the static IPs.

Thanks.

I'd already considered that.  Kind of convoluted, dontjathink? ;)

Jim

GruensFroeschli

Yep  :D

I think i remember reading somewhere that its possible in the underlying software but just not in the GUI.
So maybe ina future version.