Port Forward Rule based on Source MAC address?

  • I don't see this as an option, but maybe I'm missing it somewhere.

    I would like to be able to specify which Source Hosts can be forwarded through my Firewall NAT based on the Source's MAC Address. I see only Source IP addresses available.

    I have a few ports open on my pfSense Firewall NAT for IP cameras. While I have very long, random, complex passwords set on those devices (and disabled the default accounts), I would still feel better if an extra filter could be added to allow only chosen devices access through that NAT. These would be Smart Phones and Tablets that we carry with us. Since IP addresses change while on Hotspots and Mobile Networks, it seems that MAC address (which can be spoofed, I know) could offer an extra level of security to those internal devices….

    johnpoz: Did you miss me??? ;)

    1. As far as I can tell, unlike some other firewalls, pfSense doesn't filter MACs.
    2. Your idea won't work.  MAC addresses do not pass through routers.  They're valid on the local LAN only, so pfSense will never see the MAC address of your phone, tablet etc., if you're elsewhere.

  • Wow! That was quick!!
    Thank you for the response.
    I guess there's no good way to lock access down to particular devices when out roaming the 'Net.

    Thanks again!

  • LAYER 8 Netgate

    If you are talking about filtering inbound connections on WAN by MAC address, the MAC address of the device is almost certainly not available there anyway.

    You should be using a VPN regardless.

  • @Derelict:

    You should be using a VPN regardless.

    So…set up an OpenVPN Server Service in pfSense and then use that with an OpenVPN Client on my devices to gain access (through a open Port in the NAT) to the OpenVPN Server and thus into my home network?
    Then it will appear I am 'local' on my network and can access my devices (IP Camera's, etc) as if I am at home and without opening any more than just the 1 VPN port on my Firewall/Router?
    My traffic will then be encrypted an secure all the time...
    While, that's an extra step to run on my devices to get to my IP cameras, it may well be worth the extra security.


  • the MAC address of the device is almost certainly not available there anyway

    It most definitely won't be available.  As I mentioned, MAC addresses do not pass through routers, as the Ethernet (or other layer 2 protocol) frames, which contain the MAC addresses, are discarded at the router.  Only the IP packets, containing just the IP addresses, are passed through a router.  So, unless you can reach a device without passing through a router, you will never see the MAC address, unless some app includes it as data.  In that instance, it's beyond what pfSense can see.

  • A MAC address does not identify a computer or a device, it identifies only a single network interface. A MAC address is also "link-local" and does not traverse routers as already noted. Even if you used a TAP type tunnel  (that emulates an ethernet connection) for VPN the VPN server side would only be able to see the fake MAC address used on the TAP adapter on the client computer, not the MAC address on the main ethernet or wireless NIC on it.

  • "MAC Address does not traverse routers". I'm not wanting it to traverse a router. My original idea was to have the router block any Forwarded Port access based on MAC address of the Source Host, not "travel across or through" a router.
    So, from what's been said here:

    1. MAC addresses don't exist on external (Internet) connections
    2. Even if they did, they won't be seen by the Router link level.
      But pfSense is more than just a Router, its a Firewall, a NAT, a DHCP Server, DNS Cache, etc. But the posts here say its just not possible, so I believe them.
      Now…if I go through a VPN, then I don't care anymore about MAC filtering because only devices (my devices) that have the proper certificates on their VPN clients will be able to connect, period. That seems a whole lot more secure than MAC addresses (even if that was possible) because:
      a) MAC Addresses can be spoofed
      b) MAC Addresses are not guaranteed unique.
      So, I'll be looking into setting up OpenVPN Server in pfSense.
      Thanks again for everyone's help!
      pfSense is awesome.

  • LAYER 8 Netgate

    It most definitely won't be available.

    Unless the source device is on the WAN subnet, which is why I couched with "almost certainly."

  • Basically, MAC addresses are layer 2 and pfSense filters/routes on layer 3.

    1. MAC addresses don't exist on external (Internet) connections

    Actually, they might, depending on what's on the other side of the router.  Any "broadcast" type connection would use MAC addresses.  On the other hand, point to point links might not.