• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port Forward Rule based on Source MAC address?

Scheduled Pinned Locked Moved NAT
11 Posts 5 Posters 9.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DaHai8
    last edited by Dec 16, 2016, 11:15 AM

    I don't see this as an option, but maybe I'm missing it somewhere.

    I would like to be able to specify which Source Hosts can be forwarded through my Firewall NAT based on the Source's MAC Address. I see only Source IP addresses available.

    I have a few ports open on my pfSense Firewall NAT for IP cameras. While I have very long, random, complex passwords set on those devices (and disabled the default accounts), I would still feel better if an extra filter could be added to allow only chosen devices access through that NAT. These would be Smart Phones and Tablets that we carry with us. Since IP addresses change while on Hotspots and Mobile Networks, it seems that MAC address (which can be spoofed, I know) could offer an extra level of security to those internal devices….

    johnpoz: Did you miss me??? ;)

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Dec 16, 2016, 11:18 AM

      1. As far as I can tell, unlike some other firewalls, pfSense doesn't filter MACs.
      2. Your idea won't work.  MAC addresses do not pass through routers.  They're valid on the local LAN only, so pfSense will never see the MAC address of your phone, tablet etc., if you're elsewhere.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • D
        DaHai8
        last edited by Dec 16, 2016, 11:23 AM

        Wow! That was quick!!
        Thank you for the response.
        I guess there's no good way to lock access down to particular devices when out roaming the 'Net.

        Thanks again!

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Dec 16, 2016, 11:31 AM

          If you are talking about filtering inbound connections on WAN by MAC address, the MAC address of the device is almost certainly not available there anyway.

          You should be using a VPN regardless.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • D
            DaHai8
            last edited by Dec 16, 2016, 11:48 AM

            @Derelict:

            You should be using a VPN regardless.

            So…set up an OpenVPN Server Service in pfSense and then use that with an OpenVPN Client on my devices to gain access (through a open Port in the NAT) to the OpenVPN Server and thus into my home network?
            Then it will appear I am 'local' on my network and can access my devices (IP Camera's, etc) as if I am at home and without opening any more than just the 1 VPN port on my Firewall/Router?
            My traffic will then be encrypted an secure all the time...
            While, that's an extra step to run on my devices to get to my IP cameras, it may well be worth the extra security.

            Thanks!

            1 Reply Last reply Reply Quote 0
            • J
              JKnott
              last edited by Dec 16, 2016, 12:38 PM

              the MAC address of the device is almost certainly not available there anyway

              It most definitely won't be available.  As I mentioned, MAC addresses do not pass through routers, as the Ethernet (or other layer 2 protocol) frames, which contain the MAC addresses, are discarded at the router.  Only the IP packets, containing just the IP addresses, are passed through a router.  So, unless you can reach a device without passing through a router, you will never see the MAC address, unless some app includes it as data.  In that instance, it's beyond what pfSense can see.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by Dec 16, 2016, 2:03 PM Dec 16, 2016, 1:59 PM

                A MAC address does not identify a computer or a device, it identifies only a single network interface. A MAC address is also "link-local" and does not traverse routers as already noted. Even if you used a TAP type tunnel  (that emulates an ethernet connection) for VPN the VPN server side would only be able to see the fake MAC address used on the TAP adapter on the client computer, not the MAC address on the main ethernet or wireless NIC on it.

                1 Reply Last reply Reply Quote 0
                • D
                  DaHai8
                  last edited by Dec 16, 2016, 2:27 PM Dec 16, 2016, 2:19 PM

                  "MAC Address does not traverse routers". I'm not wanting it to traverse a router. My original idea was to have the router block any Forwarded Port access based on MAC address of the Source Host, not "travel across or through" a router.
                  So, from what's been said here:

                  1. MAC addresses don't exist on external (Internet) connections
                  2. Even if they did, they won't be seen by the Router link level.
                    But pfSense is more than just a Router, its a Firewall, a NAT, a DHCP Server, DNS Cache, etc. But the posts here say its just not possible, so I believe them.
                    Now…if I go through a VPN, then I don't care anymore about MAC filtering because only devices (my devices) that have the proper certificates on their VPN clients will be able to connect, period. That seems a whole lot more secure than MAC addresses (even if that was possible) because:
                    a) MAC Addresses can be spoofed
                    b) MAC Addresses are not guaranteed unique.
                    So, I'll be looking into setting up OpenVPN Server in pfSense.
                    Thanks again for everyone's help!
                    pfSense is awesome.
                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Dec 16, 2016, 5:26 PM

                    It most definitely won't be available.

                    Unless the source device is on the WAN subnet, which is why I couched with "almost certainly."

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      jahonix
                      last edited by Dec 16, 2016, 11:49 PM

                      Basically, MAC addresses are layer 2 and pfSense filters/routes on layer 3.

                      1 Reply Last reply Reply Quote 0
                      • J
                        JKnott
                        last edited by Dec 17, 2016, 2:50 AM

                        1. MAC addresses don't exist on external (Internet) connections

                        Actually, they might, depending on what's on the other side of the router.  Any "broadcast" type connection would use MAC addresses.  On the other hand, point to point links might not.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received