Log MAC addresses in Firewall log
Is it possible to log the MAC addresses in the Firewall Log?
I have a configuration where the users get an IP via DHCP, and I'm trying to detect some troyan connections so I set up a block rule to track the IPs the troyan usually connects to and then look on the log from where it tries to connect.
My problem is that once I get these IPs, I'm unable to know wich computers correspond to the IPs without a MAC adress.
not sure exactly to what you are trying to do but i saw this in some other thread.
arp -a >> arp.txt
stick it into crontab how often you wanna run it
EDIT: besides the obvius…you know there is a dhcp log right?
Yes, but pfSense has something called DHCP leases so I think maybe there is an option to associate this data table directly without having to do it manually, the idea is to have in the firewall log the MAC address next to the ip, because the ip association changes from one day to another (I'm using dynamic DHCP).