Block internet access by MAC Address

mtriber · Dec 30, 2016, 11:56 AM

I Have a network at home with a PFSense firewall. I would like to use the Firewall rules or what to block internet access for one of these devices on the network? This is a cell phone and I want to turn it off during night time hours. The one that I want to block does not have a static IP address assigned, and I also know its MAC address. I just cant seem to be able to figure out how to create a rule that will effectively block internet access for that one device. But I still want that device to be able to access the network internally, such as network printers shared drives etc. I would like to use the MAC address to limit internet access. I don't wan't the person to know I am blocking them

JKnott · Dec 30, 2016, 10:28 PM

AFAIK, pfSense doesn't filter on MACs. However, what you might try is to set up your DHCP server to always give that phone the same IP address and filter on that.

MAC filtering is something that's sadly missing from pfSense.

Nullity · Dec 30, 2016, 10:34 PM

ipfw does support MAC address filtering but I dunno how to properly use it with pfSense.

hendersonmc · Dec 31, 2016, 10:36 PM

@mtriber:

I Have a network at home with a PFSense firewall. I would like to use the Firewall rules or what to block internet access for one of these devices on the network? This is a cell phone and I want to turn it off during night time hours. The one that I want to block does not have a static IP address assigned, and I also know its MAC address. I just cant seem to be able to figure out how to create a rule that will effectively block internet access for that one device. But I still want that device to be able to access the network internally, such as network printers shared drives etc. I would like to use the MAC address to limit internet access. I don't wan't the person to know I am blocking them

Go to DHCP Leases under the Status menu. Find the MAC and use the Actions to fix the address outside the dynamic range
Write your rules based upon (fixed) IP address

kpa · Dec 31, 2016, 10:56 PM

This is a design choice originating from OpenBSD's PF where they promote "correctness" which in the case of PF means it's strictly a layer 3 packet filter and provides no means to express rules in terms of lower level (layer 2) traffic and its properties. FreeBSD's packet filter hooks do allow this access and IPFW makes use of it if you instruct it with correct rules.

JKnott · Jan 1, 2017, 2:13 PM

^^^^
Sometimes "correctness" might not be correct. ;)