• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How can i set static arp on dhcp to prevent mac spoofing?

Scheduled Pinned Locked Moved General pfSense Questions
11 Posts 4 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tripplex
    last edited by Dec 22, 2016, 12:15 PM

    How can i set static ARP on DHCP to prevent mac spoofing?  I keep seeing duplicated login to captive portal with the same Mac address and i know this should not be. So i really want to prevent this by doing the aforementioned.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Dec 22, 2016, 12:22 PM

      How does static arp prevent spoofing?  It prevents someone from using different IP with the same mac..

      But for you to set that up, you have to know the mac before hand.  Not sure how that would be the case with captive portal and guest type users.

      So your concern is you have users that pay for time on your captive portal, and then what give out their mac address for someone else to use?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • T
        tripplex
        last edited by Dec 22, 2016, 2:14 PM

        i have mac authentication setup in captive portal along with freeRadius mac auth so users pass through the captive portal because their mac address are configured in the freeRadius2 mac authentication tab. So wont be presented with a portal page to login they just get logged in automatically.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by Dec 23, 2016, 5:02 PM

          And what will happened if you trying out another way?

          • FeeRadius >> internal or "private" WiFI
          • Captive Portal >> external or guest WIFi
          • OpenLDAP >> internal wired machines

          So the Captive Portal must be used by the guest WiFi or Captive Portal users.
          Would this be a way to go for you?

          1 Reply Last reply Reply Quote 0
          • T
            tripplex
            last edited by Dec 24, 2016, 12:01 AM

            i just wanted to prevent persons from cloning their mac address to someone that is added in freeradius2 in order to get internet access.

            I have set simultaneous connection with this mac to 1 but that's not a effective way to stop them.

            what that does is kick off the legitimate users and give the hacker internet access.

            Someone told me about static arp so that's why i wanted to try it out but i am open to other advice.

            1 Reply Last reply Reply Quote 0
            • T
              tripplex
              last edited by Dec 26, 2016, 8:43 PM

              So it is best to have a access point that has ap/client isolation as a feature?

              I read that this could minimize the risk of hackers been able to scan the network for macs.

              As this feature would separate or put clients in their own little network apart from one another.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by Dec 26, 2016, 10:48 PM

                So it is best to have a access point that has ap/client isolation as a feature?

                In pfSense this could be activated too!!!!

                I read that this could minimize the risk of hackers been able to scan the network for macs.

                No one is able to get a view inside of all other devices in that vlan, such as the guest vlan or another one.

                As this feature would separate or put clients in their own little network apart from one another.

                If we both are guests art a hotspot system, and we both will be inserted intog the same guest WiFi VLAN, and this
                Feature or Option is activated I can not have a look into oyur phone and vice versa! Thats all.

                1 Reply Last reply Reply Quote 0
                • T
                  tripplex
                  last edited by Dec 27, 2016, 1:07 AM Dec 27, 2016, 12:56 AM

                  in pfsense i cannot be activated as it doesn't support it. It only works if you have a wireless network card plugged in, then it can be enabled. Thus my only option is using AP that supports that feature.

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Dec 27, 2016, 12:16 PM

                    Not sure where you got the idea that isolation prevents finding macs.. While it keeps users from talking to each other.  It sure doesn't stop the sniff of macs which are in the clear, etc.  You don't even have to be associated to find macs..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • H
                      Harvy66
                      last edited by Dec 27, 2016, 3:02 PM

                      "Mac spoofing" is a feature of Ethernet. Any device can claim to have any mac address they want, assuming it follows the standard. Sine you can't trust the mac address, I would not recommend using a mac address to authenticate a user.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tripplex
                        last edited by Dec 28, 2016, 7:30 AM

                        So my best option is to use user name authentication instead of Mac or buy expensive cisco switch and do port isolation putting user mac in their own little vlan.

                        1 Reply Last reply Reply Quote 0
                        6 out of 11
                        • First post
                          6/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received