Block via MAC or DHCP list
-
Thanks - network puzzles I can set up ;D
I just want to keep the hassle to a minimum for me and the maximum for him.
Looks like I need to explore some code hacks when I get time because that sound's exactly whats needed.
-
If you're comfortable at the Unix command line, it's a relatively easy task to do what I described (i.e. turn on IPFW and introduce your custom rules). Let me know if you want it and I could post some sample code and instructions…
BTW - what I do is allow certain IP ranges to bypass the dansguardian filter. For those ranges, I make sure (using IPFW rules) that the MAC address and IP address entered on the DHCP static entry are correct (as seen by IPFW). Basically make sure no one can hijack a MAC address...
-
I am also interested in a pfSense MAC adress filter.
Could you please post some sample code and instructions?
Best regards
-
Sorry it took me so long to get something posted on this… See attached files (note that I have added ".txt" to all file names).
Descriptions:
ipfw_custom_rules.txt - A shell script that dumps rules to standard out. This script can be used to generate rules that get added to the rules saved by the captive portal. I modified /etc/inc/captiveportal.inc to execute this script and add the rules (see attached captiveportal.inc.new)
macip_additions.conf - a list of mac/ip combinations to add as acceptable. Necessary for virtual machines and some wireless adapters that may show the same IP with more than one mac.
checked_ranges.conf - file specifying ranges to be checked for valid mac/ip combinations (see script... can also use an alias)
sample_output.txt - sample output of the script
ipfw_list.txt - output of "ipfw -x "Dummy" list
captiveportal.inc - modified captiveportal.inc. Search for "RJC" to see my mods. Note that I also modified the dhcp page to call the captiveportal_init_rules function when saving fixed IP addresses.
ipfw_custom_rules.txt
captiveportal.inc.new.txt
checked_ranges.conf.txt
sample_output.txt
macip_additions.conf.txt
ipfw_list.txt -
I have a few questions when you have a chance:
Any issues running this on 2.1.5?
Does CP have to be enabled? If so, I take it, you just select the interface you want it enabled on?
Have you tested this with IPv6 by chance? I recall that IPFW in 2.1.x doesn't work with IPv6 -
Works on 2.1.5… although I had to update the changes into the pfSense code that I've modified to execute my script. Really pretty minor changes, but I have to keep them up to date as versions change.
I also made another screen change to allow you to maintain the list of additional IP/MAC combinations on the DHCP screen (see previous thread - sometimes things like wireless adapters show two MAC's - device MAC and adapter MAC). I'll try to post the updated 2.1.5 versions tonight.
I enable the captive portal just to turn on the IPFW firewall (no other reason). I simply create a dummy portal - actually call it "dummy" - on whatever interface. The IPFW rules I add skip over the captive portal rules so the captive portal doesn't function. If you wanted, I suppose you could figure out how to add rules and leave the captive portal active.
I have not tried it with IPv6
-
Thank you. I'll wait for the new files before giving it a try. I have a feeling it may not work for me if I have IPv6 enabled but I could just disable it for this one interface.
-
Sorry it took me a while to pull this together. The relevant files are in this zip https://dl.dropboxusercontent.com/u/55672566/MAC-IP-checking.zip
-
Thank you!
-
You're welcome… didn't have time to comment last night, but let me explain a couple of things and offer a couple suggestions.
/usr/local/www/services_dhcp.php is a modified version of the dhcp screen. It has two changes - first it will call the captive portal re-initialize functions. These in-turn call the script to add the additional ipfw rules. This is done because I add rules to check that mac addresses are not hijacking IP's of certain ranges of fixed assignments. The second thing it does is add a section for duplicate mac/ip combinations. This is stored in a section of the config.xml and then written out to a file /usr/local/ipfw_custom_rules/macip_additions.conf that is added to the ipfw rules.
The directory /usr/local/ipfw_custom_rules has the script "ipfw_custom_rules" that creates the rules I am adding. It reads an alias to determine the IP address range that I want to check to make sure that no one is highjacking an IP. The alias needs to be set in the config (just a normal pfSense alias). This script is called from the captive portal code.
/etc/inc/captiveportal.inc is a modified version of the captiveportal code that adds the output of the above script to the IPFW rules. You can simply run the script (since it dumps to standard out) to see what it is adding.
For the two modified files, you can diff them with the originals to see the changes... it's not major.