Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MAC filtering like ebtables net.link.ether.ipfw=1

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 948 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Raff
      last edited by

      I want to move from our old firewall running iptables and ebtables.
      I manage to configure pfsense as a bridge but I can not find the  way to filter  mac on the firewall. For example I need to DROP all packets from 00:04:96:00:00:00.
      I want also block some other ethernet protocols and allow only ARP ipv4 etc…
      Which file have I to edit to make it possible?
      I already  added system tunables:

      net.link.ether.ipfw=1

      Best Regards
      Rafff

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It is not currently possible to filter by MAC address.

        Passing or blocking by protocol is available on any firewall rule using the Protocol drop-down.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          Raff
          last edited by

          Drop-down is possible only for TCP or UDP, what about ethernet protocols? I need to drop all SNAP pakets.

          I was using fantastic Sentry CD firewall so far, but it has old kernel 2.4, thus it affected sometimes by flooding and than it crash. THerefore I was looking for pfsense.

          Any other recomendation how to block Mac addresses?  Pfsense has FreeBSD in the background thus it shoud be possible to block by Mac. I am not FreeBSD expert therefore I need some help , how to make it to happen?

          Regards
          Raff

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @Raff:

            Drop-down is possible only for TCP or UDP, what about ethernet protocols? I need to drop all SNAP pakets.

            On what page? For both firewall rules and NAT there are many other choices.

            @Raff:

            Any other recomendation how to block Mac addresses?  Pfsense has FreeBSD in the background thus it shoud be possible to block by Mac. I am not FreeBSD expert therefore I need some help , how to make it to happen?

            There is no supported way do it. Captive Portal is capable of doing some things in that area but it would also affect the people you are passing through.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              IPFW which is the other main packet filter for FreeBSD can do MAC filtering but pfSense has chosen not to use it as the main filtering engine, instead pfSense uses the PF (originally from OpenBSD) packet filter which is a pure layer 3 (IP) packet filter. I doubt you can do MAC filtering on pfSense easily by hacking in your own IPFW rules, I'd recommend using vanilla FreeBSD instead if you're really serious about it and know your way around FreeBSD without the aid of a GUI such as the one pfSense has.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.