[solved] Allow only certain users through firewall
- 
 Hello everybody, I need an advice for my use case: - only paid users are allowed to access internet
- database of paid users is maintained in an external system
- unique identifier of paid user is his MAC address
- IPv4 and IPv6 connectivity
 Looking for automated solution how to enable internet only for paid users. GUI cannot be used. - pfSense has no API
- pf cannot permit/deny packets according their src MAC address
- not aware of a way how to add a static DHCPv4 lease through CLI (but DHCPv6 screws it up)
- not aware of a way how to add a MAC address into captive portal bypass list through CLI
 
- 
 Captive Portal (with RADIUS?)? (I've never used it but it seems like exactly what you want.) 
- 
 Captive Portal (with RADIUS?)? I am not aware of a way how to add a MAC address into captive portal bypass list through CLI. 
- 
 Use RADIUS auth with captive portal, you can set it up for MAC auth as well so you can add the MACs in RADIUS to let them through. 
- 
 you can add the MACs in RADIUS to let them through. Could you elaborate more? 
 I want this situation: registered user connects to internet without bothering with captive portal.
- 
 Who are these "registered users"? Employees using work devices? Customers? Guests? 
- 
 No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only. 
- 
 Who are these "registered users"? Employees using work devices? Customers? Guests? Customers with their MAC registered in my CRM. 
- 
 No matter what, pfSense captive portal will not pass IPv6. It will be IPv4-only. Then it's solved. I'll have to use iptables to filter MAC addresses and abandon pfSense. 

