MAC filtering like ebtables net.link.ether.ipfw=1

Raff · Jul 6, 2017, 2:51 PM

I want to move from our old firewall running iptables and ebtables.
I manage to configure pfsense as a bridge but I can not find the way to filter mac on the firewall. For example I need to DROP all packets from 00:04:96:00:00:00.
I want also block some other ethernet protocols and allow only ARP ipv4 etc…
Which file have I to edit to make it possible?
I already added system tunables:

net.link.ether.ipfw=1

Best Regards
Rafff

jimp · Jul 7, 2017, 5:23 PM

It is not currently possible to filter by MAC address.

Passing or blocking by protocol is available on any firewall rule using the Protocol drop-down.

Raff · Jul 10, 2017, 7:15 AM

Drop-down is possible only for TCP or UDP, what about ethernet protocols? I need to drop all SNAP pakets.

I was using fantastic Sentry CD firewall so far, but it has old kernel 2.4, thus it affected sometimes by flooding and than it crash. THerefore I was looking for pfsense.

Any other recomendation how to block Mac addresses? Pfsense has FreeBSD in the background thus it shoud be possible to block by Mac. I am not FreeBSD expert therefore I need some help , how to make it to happen?

Regards
Raff

jimp · Jul 10, 2017, 11:29 AM

@Raff:

Drop-down is possible only for TCP or UDP, what about ethernet protocols? I need to drop all SNAP pakets.

On what page? For both firewall rules and NAT there are many other choices.

@Raff:

Any other recomendation how to block Mac addresses? Pfsense has FreeBSD in the background thus it shoud be possible to block by Mac. I am not FreeBSD expert therefore I need some help , how to make it to happen?

There is no supported way do it. Captive Portal is capable of doing some things in that area but it would also affect the people you are passing through.

kpa · Jul 12, 2017, 2:44 PM

IPFW which is the other main packet filter for FreeBSD can do MAC filtering but pfSense has chosen not to use it as the main filtering engine, instead pfSense uses the PF (originally from OpenBSD) packet filter which is a pure layer 3 (IP) packet filter. I doubt you can do MAC filtering on pfSense easily by hacking in your own IPFW rules, I'd recommend using vanilla FreeBSD instead if you're really serious about it and know your way around FreeBSD without the aid of a GUI such as the one pfSense has.