Only allow certain MAC addresses to access a forwarded port



  • Just installed pfSense ver 2.3.4 on a mini PC. Lots I don't know yet.

    Unfortunately, I have to configure several ports to be forwarded. However, the list of machines that should be allowed to access them is very small (single digits). Since a mobile device coming in on the WAN interface will have an unpredictable IP address, I was thinking I would only allow certain known MAC addresses.

    Is this possible? Is there a better way?

    Thanks.



  • @logbuilder:

    Is this possible?

    MAC's do not travel over the "Internet".
    and
    The firewall pfSense does not have the possibility to filter on MAC's.(might be related to the first phrase ;))
    More info : https://superuser.com/questions/510920/is-my-mac-address-public-when-browsing-the-internet

    @logbuilder:

    Is there a better way?

    Irrelevant  ;)
    Use some authentication like the ones you already saw elsewhere.

    Edit : what I do : have my 'device' open a VPN to pfSense, and I'm "in".



  • Thanks for that reply. The link was very helpful also. Obviously I'm no networking expert.



  • If you're trying to use services from your local private network remotely, I'd recommend using a VPN.  Forwarding ports and restricting access to specific public IP addresses can be used in some cases where both ends of the connection are known, but this doesn't seem to be the case for you.

    Create a VPN, give access to the local subnet that your servers are on, done.  There are tons of tutorials online for pfSense.  I highly recommend getting the official pfSense book, or better yet, pfSense gold subscription.  That will walk you through step by step for creating a Road Warrior IPSec VPN using EAP-MSCHAPv2.

    There's also a Hangout from a few months back with a video tutorial on how to do this.

    Good luck!

    Dan



  • @DanC

    Thanks for the reply. I guess I know down deep that a VPN is the answer. The problem in my uneducated mind is that the clients (android phone, iphone, ipad, AMZN Fire) will all need a VPN client. I'm unclear how transparent that will be to the wife and myself. My last direct contact with a VPN was with my last employer (6 years ago) which used a VPN with a RSA key generating device. It was a pain in the rear. It probably tainted me on VPN.

    My remote access is really for only three things. First is remote console in case I need to do any configs or tuning while I am away. Second is for Blue Iris which is my camera security system. Third is for HomeSeer which is my home automation software. HomeSeer gets the most remote access. If I am away, we check it a couple of times a day from our phones. It surfaces the Blue Iris info so (normally) no need to access BI itself remotely. This results in 3 ports being forwarded.

    But….. the thing that motivated me to move to pfSense was that I see people/bots probing those doors every day. It makes me uncomfortable. In the last year I have moved into home automation heavily. That created a wider wifi network. There are devices (quite a few wifi arduinos - ESP8266) that are on the wifi network that transmit in the clear. I'm creating three subnets off of the pfSense firewall. One for highly trusted devices, one for semi-trusted and guests, and one for the IOT devices that I don't trust very much. This topology I first heard about from Steve Gibson on the Security Now podcast and it resonated with me.

    On top of all of that, I am on a metered satellite connection with a monthly data cap so I want to make sure no devices are going outside my network unless I know about it. I certainly don't trust my cameras with all the recent news about them being hacked.



  • Your fears about IoT devices potentially being compromised are well founded.  Many on these forums, including me, will tell you to segment your network in a manner similar to how you're designing yours.

    That said, opening ports or forwarding ports for IoT devices is a disaster waiting to happen.  I'm sure you can already see the implications of doing so.  A VPN really is the only way that you should remotely manage them.  I will say, using self signed certificates for your VPN is the ideal way to do this, but PSK options are available.

    It's really not too bad. I'm confident that if you're already planning on segmenting your network and you've thought that through, you can make a VPN work.



  • @DanC:

    Your fears about IoT devices potentially being compromised are well founded.  Many on these forums, including me, will tell you to segment your network in a manner similar to how you're designing yours.

    That said, opening ports or forwarding ports for IoT devices is a disaster waiting to happen.  I'm sure you can already see the implications of doing so.  A VPN really is the only way that you should remotely manage them.  I will say, using self signed certificates for your VPN is the ideal way to do this, but PSK options are available.

    Another method is to use a controller or server to manage & access the devices.  You then work through it, instead of the devices.  You apply appropriate security to it.  With this method, you can have the IoT on a ULA network.  I mentioned this in another thread, about security cameras.  With the one's I have worked on, the cameras are on a separate network, connected to a recorder.  The recorder has a separate network connection, which is used to access the recorder from elsewhere.  Similar could be used with other IoT devices.


Log in to reply