Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can i set static arp on dhcp to prevent mac spoofing?

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tripplex
      last edited by

      How can i set static ARP on DHCP to prevent mac spoofing?  I keep seeing duplicated login to captive portal with the same Mac address and i know this should not be. So i really want to prevent this by doing the aforementioned.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        How does static arp prevent spoofing?  It prevents someone from using different IP with the same mac..

        But for you to set that up, you have to know the mac before hand.  Not sure how that would be the case with captive portal and guest type users.

        So your concern is you have users that pay for time on your captive portal, and then what give out their mac address for someone else to use?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tripplex
          last edited by

          i have mac authentication setup in captive portal along with freeRadius mac auth so users pass through the captive portal because their mac address are configured in the freeRadius2 mac authentication tab. So wont be presented with a portal page to login they just get logged in automatically.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            And what will happened if you trying out another way?

            • FeeRadius >> internal or "private" WiFI
            • Captive Portal >> external or guest WIFi
            • OpenLDAP >> internal wired machines

            So the Captive Portal must be used by the guest WiFi or Captive Portal users.
            Would this be a way to go for you?

            1 Reply Last reply Reply Quote 0
            • T
              tripplex
              last edited by

              i just wanted to prevent persons from cloning their mac address to someone that is added in freeradius2 in order to get internet access.

              I have set simultaneous connection with this mac to 1 but that's not a effective way to stop them.

              what that does is kick off the legitimate users and give the hacker internet access.

              Someone told me about static arp so that's why i wanted to try it out but i am open to other advice.

              1 Reply Last reply Reply Quote 0
              • T
                tripplex
                last edited by

                So it is best to have a access point that has ap/client isolation as a feature?

                I read that this could minimize the risk of hackers been able to scan the network for macs.

                As this feature would separate or put clients in their own little network apart from one another.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  So it is best to have a access point that has ap/client isolation as a feature?

                  In pfSense this could be activated too!!!!

                  I read that this could minimize the risk of hackers been able to scan the network for macs.

                  No one is able to get a view inside of all other devices in that vlan, such as the guest vlan or another one.

                  As this feature would separate or put clients in their own little network apart from one another.

                  If we both are guests art a hotspot system, and we both will be inserted intog the same guest WiFi VLAN, and this
                  Feature or Option is activated I can not have a look into oyur phone and vice versa! Thats all.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tripplex
                    last edited by

                    in pfsense i cannot be activated as it doesn't support it. It only works if you have a wireless network card plugged in, then it can be enabled. Thus my only option is using AP that supports that feature.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Not sure where you got the idea that isolation prevents finding macs.. While it keeps users from talking to each other.  It sure doesn't stop the sniff of macs which are in the clear, etc.  You don't even have to be associated to find macs..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • H
                        Harvy66
                        last edited by

                        "Mac spoofing" is a feature of Ethernet. Any device can claim to have any mac address they want, assuming it follows the standard. Sine you can't trust the mac address, I would not recommend using a mac address to authenticate a user.

                        1 Reply Last reply Reply Quote 0
                        • T
                          tripplex
                          last edited by

                          So my best option is to use user name authentication instead of Mac or buy expensive cisco switch and do port isolation putting user mac in their own little vlan.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.