DHCP Arp Table Static Entry - to bind mac to IP

  • I want to be able to set static DHCP entries using the ARP table static entry option. But I don't just want it to reserve the IP to the MAC address from the dhcp server - I also want to bind it so the IP can ONLY use the static IP assigned to it.

    Why? I want to have a few computers that are bound to an IP to set up firewall rules & schedules. But without having to lock down every single device.

    I know I can turn on global static arp table. But that seems like another level of lock down that causes lots of extra work. I really don't want to have to add each new device to a manual table to allow the MAC address to communicate.

    Thanks in advance

  • @rmowles said in DHCP Arp Table Static Entry - to bind mac to IP:

    But I don't just want it to reserve the IP to the MAC address from the dhcp server - I also want to bind it so the IP can ONLY use the static IP assigned to it.

    If you assign an IP to a MAC address, then that computer will only have that address, unless someone configures a static address. Of course, I assume you have user and not admin accounts set up for the users, so that they can't do that.

  • You know what they say about making an assumption :-) Sorry couldn't resist.

    This is actually for use in a home network so people will reload their own boxes and could assign their own IP. I'm tired of using crappy home routers especially with 500Mb and better download speeds where most of the home product can't keep up. If I like it, we'll get a 2nd larger PFSense box at work when our firewall is to be replaced. Very different needs around security between home & office.

    So back to the original question, the idea is to lock a MAC to an IP so even if the IP is manually assigned on the computer it cannot communicate with/through the firewall. Want to set up timed breaks for the kids mainly to help "remind" them when we're not around and so as to not have to harp on it.

    Without having to manually enter every MAC on the network - too much of a pain.

    I had an older router that did this and it was brilliant.. never seen it since. But the idea seems simple... bind the MAC to an IP and don't allow the MAC to use another IP.

    Then you can easily lock down certain machines and not worry about others.

    Make sense? Make PFSense?

  • @rmowles said in DHCP Arp Table Static Entry - to bind mac to IP:

    So back to the original question, the idea is to lock a MAC to an IP so even if the IP is manually assigned on the computer it cannot communicate

    You're in for a lot of work assigning the authorized addresses and then configuring the firewall to block everything else. Also, you should always use user accounts for users. I do that here on both Linux and Windows. The admin account is only used for things that required admin privileges and I'm the only one who uses my computers. This also provides greater protection against malware as admin accounts give it full access to the system.

    Unfortunately Windows defaults to admin accounts and most people can't be bothered setting up user accounts or don't even know they should. On Linux, running as root is strongly discouraged and you're usually asked to set up user accounts, after root has been created.

    Do yourself a favour. Create admin accounts on those computers and then change the existing accounts from admin to user. You'll avoid a lot of problems.

  • While I appreciate your suggestions it doesn't address my request and I'd like to keep this on point if we can please. In my environment I would like to have a MAC address bound to an IP. Or alternately the ability to create firewall rules by MAC address.

    Ironically the UTM at my office, where IP's are much more locked down, supports firewall rules by MAC address.

    I want to do it per IP and the ideal place would be in the DHCP static lease entry.

  • Well, you're doing it the hard way and pfSense doesn't support filtering on MAC addresses, though other firewalls do.

  • I'm doing it the only way possible in my network at home. I found many other requests for the same. Instead of being told what I'm doing is wrong, hard or otherwise, is there any way to get the ears of the developers?

    Frankly I may send this box back based on the experience so far. Seemed good on paper but I'm disappointed. I paid for the hardware to support the team but didn't expect this limitation.

    Other firewalls may support this function... because it's a good idea.

    Sophos for example just added the function recently. As you say, others already have the function.

    I didn't come here to debate my needs - I came here to make sure I wasn't missing the function somehow - and find a way to request it be added.

    If no, I will move on to another firewall.


  • Hi,

    The firewall pfSense is using for 'normal' operation doesn't handle MAC (L2). No one can explain the functionality your are looking for : it doesn't exist - isn't implemented.

    But, another firewall service is included in pfSense, used by the captive portal functionality, is the FreeBSD's "ipfw". ipfw is capable of MAC based filtering.
    You could use a one time 'voucher' (5 minutes duration) login, do the auto-MAC/IP rule adding and your device will be locked to an IP/MAC pair, no matter how the device is setup (DHCP, Static ...)
    Take a look at this option, it will be as close as you can get.

  • LAYER 8 Global Moderator

    How many devices are you talking about? Seems like your making this overly complex

    You set a reservation for device A.. It now gets as its ip.. You setup whatever rules you want for this device.

    To prevent device B from setting its IP to and using accessing what device A can you set a static arp on pfsense that mac xyz only relates to

    But what stops owner of device B from just making its mac xyz.. You do understand that takes all of a few seconds to do on any sort of device that runs an os that allows it.. Windows, Linux, BSD's - you might have problem doing that on some sort of locked down iot device.

    If you want to write your rules based on mac - sure use a firewall that does that.. Have at it.. But changing a mac is really no different than setting an IP. So you end up in the same boat from a security standpoint.. Then again if this is "home" setup - what user is going to know how even change their IP to the IP that has higher access on the firewall rules?

    If you want to lock down your network so that users can not access this even if they change their mac or their IP you should look more to full blown NAC/NAP setup.. BTW is this wired or wireless? Combination?

    So let me make sure I understand the feature your wanting. You want a client to get an IP via dhcp.. You then want a static arp set for this IP that only this IP/MAC combo are valid to talk to pfsense. But you don't want to set which IP the client gets - because its too much work? Again I ask how many devices? And does this new reservation now last forever, is it good for 24 hours..

    You do understand you can just run the dhcp server let these devices get lease and now you have all the mac and you can just click button to setup a reservation for their IPs.. So I am a bit confused at the level of work you think this is? Do you have hundreds of devices on this network? 1000's?

    Again what keeps the user from just changing their mac? Pretty sure a dedicated individual could prob jailbreak their phone and change the mac, etc. I just google and in 2 seconds found how to change the mac on my jailbroke android phone, etc. So not sure where you got the idea that mac address are the end all of security from a filtering standpoint.

    What might be more constructive on a "forum" is to describe your end goal here - prevent users from doing XYZ, describe your environment, type of devices, etc.. Then let the discussion flow on how to best accomplish this goal.. What happens quite often is user gets some idea in their head that X is the way to solve said problem, when really Y is easier, less complex, cheaper way to do it.. But they get all hung up on doing X that they end up going down 15 layers into some rabbit hole trying to do X, when it reality X doesn't even solve the actual problem.

    What I can make so far is your worried about user changing their IP and getting access to what exactly the pfsense web gui? Access to some other vlan? Access to the internet - what sort of rules are you looking to put in place to either allow said IP do or not do? Then we can worry about what happens if user changes their IP to this, etc. And evaluate the level of control that is actually needed in a "home" setup. Or the best way to mitigate your concerns of breaking/circumventing your rules.

    Keeping in mind that pfsense might not be the tool for the job at hand.. Is a very fine and feature rich layer 3 firewall/router - with many a bell and whistle to be sure. But sometimes you need that T12 Star allen wrench, and the 5/16 hex just will not do.. Even though the 5/16 is your fav tool, it sometimes is not the right one for the job. Sure maybe you can force it in and it will turn the screw, etc. Does not make it the correct tool for the job.

  • The tone I hear in many of these messages is really unfortunate. I'm not sure if you're aware but "You do know" and "You do understand" are very condescending in tone.

    But fair enough, here's what I'd like to do.

    This is a home network with maybe 20 devices - the users can and do reload windows occasionally themselves. (At least one of them). I want to block Internet access to two computers at certain times. Wired through a switch. Would be nice to do the same for a couple wireless devices (iphones).

    I would like to make it a bit harder than setting a static IP to get around firewall rules. Users are pretty smart. Yes I get they might figure out how to change MAC but this is less common than setting a static IP in my opinion. I've been working on computers and small networks for 30 years and until recently never thought to try changing a mac address.

    @Gertjan thank you for your friendly reply - I will research this. I suppose the first question that pops to mind is that if ipfw is under the hood it would be easy enough to expose this in a GUI setting.

  • LAYER 8 Global Moderator

    I have been doing this sort of stuff for 30 some years professional, at the security level for major fortune 500 companies, etc.. Tell you for sure than none of them do "mac" filtering..

    If you want to control devices that access your network and what IP they can or can not use then setup a NAC..

    Packetfense is one that is FREE fairly easy to setup..

    As to "very condescending in tone." you do understand ;) its very difficult to assess "tone" from a forum post right ;) I can kiss your ass from here to sunday and you could take that now I am patronizing you, etc. To be honest I don't really give to shits how you take whatever tone you want to read into the wording... We can be friendly and discuss your problem tech to tech or we can bitch and complain about "tone" and whatever.. I don't really care either way - there are plenty of other people to help.

    I would like to make it a bit harder than setting a static IP to get around firewall rules

    Your SIMPLE solution to that is static arp - 20 devices would take you all of a few minutes to setup. For new devices only give them access to guest network that has very limited access be it wire or wireless.. Until you get their mac and assign them the permission you want, etc.

    More complex way is let them auth your nac and only move them into the specific vlan that gives them the access you want them to have no matter what what ip or mac address they have. Since the whole network only has that permission. This is simple enough to do with dynamic assigned vlans and freerad.

  • @johnpoz Thank you for showing your true colours. Maybe you've been doing this too long if you don't give two shits. As a moderator you set a poor example of how to treat people. I'm out of here and won't be checking back so feel free to flame away if it makes you feel better.

  • @ said in DHCP Arp Table Static Entry - to bind mac to IP:

    But fair enough, here's what I'd like to do.

    I don't think we're trying to be condescending, but it's obvious to many of us here that you're going about this the wrong way. I pointed out a very easy way to prevent users from changing the IP address and improving security too. Many of us here have worked with computers and networks professionally. Johnpoz mentioned his background above and I first started working with LANs in 1978, currently work with them and have also done first and 3rd level support at IBM, among many other things. However, you seem to insist on ignoring advice based on experience and doing things in a way we don't think as suitable.

Log in to reply