Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Allow only certain users through firewall

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mdes
      last edited by

      Hello everybody,

      I need an advice for my use case:

      • only paid users are allowed to access internet
      • database of paid users is maintained in an external system
      • unique identifier of paid user is his MAC address
      • IPv4 and IPv6 connectivity

      Looking for automated solution how to enable internet only for paid users. GUI cannot be used.

      • pfSense has no API
      • pf cannot permit/deny packets according their src MAC address
      • not aware of a way how to add a static DHCPv4 lease through CLI (but DHCPv6 screws it up)
      • not aware of a way how to add a MAC address into captive portal bypass list through CLI
      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        Captive Portal (with RADIUS?)?

        (I've never used it but it seems like exactly what you want.)

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • M
          mdes
          last edited by

          @Nullity:

          Captive Portal (with RADIUS?)?

          I am not aware of a way how to add a MAC address into captive portal bypass list through CLI.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Use RADIUS auth with captive portal, you can set it up for MAC auth as well so you can add the MACs in RADIUS to let them through.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mdes
              last edited by

              @jimp:

              you can add the MACs in RADIUS to let them through.

              Could you elaborate more?
              I want this situation: registered user connects to internet without bothering with captive portal.

              1 Reply Last reply Reply Quote 0
              • H
                Harvy66
                last edited by

                Who are these "registered users"? Employees using work devices? Customers? Guests?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • M
                    mdes
                    last edited by

                    @Harvy66:

                    Who are these "registered users"? Employees using work devices? Customers? Guests?

                    Customers with their MAC registered in my CRM.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mdes
                      last edited by

                      @Derelict:

                      No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only.

                      Then it's solved. I'll have to use iptables to filter MAC addresses and abandon pfSense.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.