(SOLVED) Blocking unknown mac adress's

SipriusPT · Mar 13, 2017, 3:57 PM

Hello guys,

I am trying to block unknown mac adress's to be able to use an internal network.

From what I have search, one way to achieve this is by using the DHCP from that network interface to use DHCP static maps with the Deny unknown clients check. But to do this I will have to use the DHCP from pfsense, and I am using a windows DHCP from 2008 who is very outdated in terms of options for the DHCP. I know that I can allow the DHCP from windows server to only give IP's to certain mac adress's, but I think that anyone can config manually IP's in their machines, and then it will be able to enter. I am looking more for a low level of block.

So the question is, there is a way to add known mac adress's for a specific interface without using the DHCP of the pfsense?

Thanks!

johnpoz · Mar 13, 2017, 1:57 PM

its static arp.. with static arp pfsense will not talk to anything that is not static in its arp table.

SipriusPT · Mar 13, 2017, 3:57 PM

@johnpoz:

its static arp.. with static arp pfsense will not talk to anything that is not static in its arp table.

Thank you John! ;)

vivi8392 · Mar 14, 2017, 7:53 PM

Hi guys.
Sorry if my english isn't perfect (baguette).
I'm in charge of my student residence's Internet (around 250 people).
We use Pfsense and each year, everyone has to come so we can add them to the DHCP Server list. So everyone has his own IP adress we give them (1 for wifi and 1 for eth) : 10.10.xxx.xxx
We have juste changed the computer. So we had to configure the whole thing on Pfsense.
We weren't allowed to block those who didn't pay and weren't added to the DHCP list.
If I enable Static ARP entries, will it change it ?

plus, if someone uses someone else's IP, will it work for both of them ?

thanks guys !

johnpoz · Mar 14, 2017, 7:58 PM

"We weren't allowed to block those who didn't pay and weren't added to the DHCP list."

So your saying you can not block if I don't pay.. So I just hook up a device given a 10.10.x.x IP and I can use the internet - or you want to block people from doing that?

Static arp means that pfsense will only talk to IP address 10.10.a.b if its using the mac address you put in pfsense. If the mac address uses 10.10.x.y it will not work. If user puts in 10.10.e.f and they do not have a mac address listed in pfsense that matches 10.10.e.f it will not work.

If user changes their mac to something else, and try and use 10.10.a.b that points to different mac - it will not work.

vivi8392 · Mar 14, 2017, 8:07 PM

Well we have 3 box internet. the whole residence can use it by paying 17€ per year to us.
When they have paid, we take their MAC addresses and we give them IPs.
We had a huge problem with win10 and i found out that everyone had to set manually his IPv4 adress, the subnet mask and DNS.
But we fear that if someone does this (without paying and being registered by us) with someone else IP adress, given that this IP adress is in thet DHCP list, he can use "our" internet …