[solved] Allow only certain users through firewall



  • Hello everybody,

    I need an advice for my use case:

    • only paid users are allowed to access internet
    • database of paid users is maintained in an external system
    • unique identifier of paid user is his MAC address
    • IPv4 and IPv6 connectivity

    Looking for automated solution how to enable internet only for paid users. GUI cannot be used.

    • pfSense has no API
    • pf cannot permit/deny packets according their src MAC address
    • not aware of a way how to add a static DHCPv4 lease through CLI (but DHCPv6 screws it up)
    • not aware of a way how to add a MAC address into captive portal bypass list through CLI


  • Captive Portal (with RADIUS?)?

    (I've never used it but it seems like exactly what you want.)



  • @Nullity:

    Captive Portal (with RADIUS?)?

    I am not aware of a way how to add a MAC address into captive portal bypass list through CLI.


  • Rebel Alliance Developer Netgate

    Use RADIUS auth with captive portal, you can set it up for MAC auth as well so you can add the MACs in RADIUS to let them through.



  • @jimp:

    you can add the MACs in RADIUS to let them through.

    Could you elaborate more?
    I want this situation: registered user connects to internet without bothering with captive portal.



  • Who are these "registered users"? Employees using work devices? Customers? Guests?


  • Netgate

    No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only.



  • @Harvy66:

    Who are these "registered users"? Employees using work devices? Customers? Guests?

    Customers with their MAC registered in my CRM.



  • @Derelict:

    No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only.

    Then it's solved. I'll have to use iptables to filter MAC addresses and abandon pfSense.