Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restricting Internet Access for Some Clients

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 889 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      giovannio
      last edited by

      Hello guys,
      I would like you to help me with the following question:
      I intend to restrict access to the internet to some computers on the network, where I would like to do it as follows:

      • Block access to all sites except the ones I want these clients on the network to have access to and I'd like to make it associated with the mac addresses of these clients.
        Thank you in advance for your help.
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @giovannio said in Restricting Internet Access for Some Clients:

        associated with the mac addresses of these clients.

        Pfsense is a L3 firewall - not layer 2.. So if you want specific devices to be blocked based upon their mac setup dhcp reservations so these mac always get the same IP. Then block them on your lan rules from getting to internet.

        Or setup a captive portal where the macs you want can access, but clients not on the list can not.

        You could also setup static arp on pfsense so it will not even talk to the macs not in the static arp list, and they would not have internet, etc.

        Some clarification would help determine best way to skin the cat your trying to skin. Are they wired or wireless. Do they need access to other local networks that are routed through pfsense. Do you use proxy? etc. etc. What sort of devices are these devices you do not want to have internet? Could you move them to their own network/vlan so that whole network/vlan does not have internet, etc..

        Another option might be to setup dhcp reservations for the mac you do not want to have internet and give them bogus gateway - so no internet, etc. There are lots of ways to skin a cat, you need to know the breed and size and color, etc. to figure out the best way ;) You don't use the same method for your household tabby that you might use for a bobcat or lynx, etc. What you want to do with the skin after you take it off also matters.. Are you going to make a coat out of it - or will you use it as a rug in front of your fireplace, etc. ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • G
          giovannio
          last edited by

          @johnpoz said in Restricting Internet Access for Some Clients:

          Hello my friend,
          Thankyou for your response.
          Your explanation was very enlightening :)
          I guess I could not explain what I mean.
          I would not want to block access to the internet entirely.
          For example, there is a device where I want to block all websites except for 10 websites that are for work purposes.
          Is there a package that does this?
          Thank you very much.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            That would be done via proxy... But its restrictions are not based upon mac address.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • G
              giovannio
              last edited by

              ThankYou! :)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I don't think you understand the thread protar.. He is not talking about a mac computer he is talking about mac address of multiple devices, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.