Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MAC Filtering on PF

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • faxmodemF
      faxmodem
      last edited by

      hi  ;D
      How to determine if only specific addresses from a specific country are accessible to our server?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What does that have to do with mac?  Use pfblocker package if you want to block countries from accessing your port forwards.  Or stop access to those countries.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • faxmodemF
          faxmodem
          last edited by

          I want to prevent rdp brut force  attacks by filtering the mac address

          Is there any other idea to prevent such attacks?

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            You would see an IP address not a MAC if your talking inbound from the WAN.

            Create a VPN.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              "Is there any other idea to prevent such attacks?"

              Yeah don't freaking open up Remote Desktop to the public internet ;)  You need to remote to your machines than VPN in..

              At worse your rule that allows access to the remote desktop through a forward should be sourced locked to the specific IP or IPs you want to allow.. Great you can block RU from hitting your port forward, doesn't stop hits from the same country your wanting to access it from.

              VPN into your network for such access..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • faxmodemF
                faxmodem
                last edited by

                Can not do this scenario with MAC?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I suggest you research what a MAC is… its only seen at layer 2.. No you can not filter mac in pfsense from some random internet bot or IP..

                  Did you smite me for asking what mac has to do with it?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad
                    last edited by

                    @faxmodem:

                    Can not do this scenario with MAC?

                    The MACs would only be seen at layer 2.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott
                      last edited by

                      You would see an IP address not a MAC if your talking inbound from the WAN.

                      The only MAC address you'll see on the WAN port is your ISP's router.  If you block that, you will disconnect yourself from the Internet.  A MAC address is the hardware address for a device and is valid on the local LAN only.  When a packet is received a router or any other device, the MAC address is discarded.  A router will then forward the IP packet as approptiate and create a new Ethernet frame, with a new MAC to forward it on.  You will NEVER see a MAC address for any device that's not directly connected to your firewall.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • faxmodemF
                        faxmodem
                        last edited by

                        Do not block IP countries from OPEN VPN by pfblocker?

                        i'm config pfblock but unblock ip for other country??

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          huh?? what are you wanting to do.. Read that like 3 times, makes no sense.

                          Use aliases in pfblocker for the country blocks you want and set your firewall rules with those aliases.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • H
                            Harvy66
                            last edited by

                            1. MAC addresses are not associated with countries, for the most part
                            2. MAC addresses are only link local. You will only ever see the single MAC address from your ISP's gateway.
                            1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott
                              last edited by

                              ^^^^
                              For the most part????  I'd say not at all.  The lower 24 bits are simply a serial number.  The upper 24 are mostly assigned to a manufacturer, with a couple of bits reserved for unicast/multicast and locally assigned address.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • H
                                Harvy66
                                last edited by

                                @JKnott:

                                ^^^^
                                For the most part????  I'd say not at all.  The lower 24 bits are simply a serial number.  The upper 24 are mostly assigned to a manufacturer, with a couple of bits reserved for unicast/multicast and locally assigned address.

                                you might be able to find a correlation between certain bits in a MAC address and certain models of NICs if you know something about the supply chain.

                                OK guys, the next 10,000 NICs are going to Russia. Now you have 10,000 sequential MACs being sold in stores in Russia, assuming they used sequential and not random. Not sure why random would be a good idea for this case. And also assuming MACs are not being spoofed. Not that you'll ever see a MAC from outside of your broadcast domain.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.