Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense colocation sharing the same mac address filter

    Scheduled Pinned Locked Moved Captive Portal
    23 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SCG
      last edited by

      Hey,
      im would like to setup 2 Pfsense systems what copy each others mac address filter.

      is there a way todo this ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Which mac addresses? Captive Portal, Static Arp? Dhcpd allow/deny listing?

        I take it these pfsense installs are not in a HA pair? Is this mac address list something that will be somewhat static and only be changed now and then or is something dynamic your going to be constantly changing?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          SCG
          last edited by SCG

          yes im speaking about the captiv portal,
          it is not a HA setup, both pfsenses are at a different location

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            https://www.netgate.com/docs/pfsense/highavailability/configuring-high-availability.html

            Everyone now has access to the book so here
            https://www.netgate.com/docs/pfsense/book/highavailability/index.html

            Location doesn't mean they couldn't be in HA.. You just have an extended vlan between the 2 locations. We run multiple HA setups of all kinds of systems router/firewall in different DCs that are miles and miles apart.

            If they are in different locations why would the captive portal mac address come into play.. Users that frequent both locations?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              SCG
              last edited by

              just updated my post please reread it.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Just edited mine as well ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  SCG
                  last edited by SCG

                  if i understood it correctly it shares to config completely, we have 2 different subnets (2 different factorys) with 2 different public ips

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    If they are 2 different locations why would you need to have the same captive portal mac address list? Users move between these locations.

                    How often do you have to add/edit this list? Make the 2 edits directly? You could always just grab the passthrumac list from captiveportal backup section?

                    <passthrumac>
                    <action>pass</action>
                    <mac>00:00:00:01:02:03</mac>
                    <descr><![CDATA[test]]></descr>
                    </passthrumac>
                    

                    And edit the xml directly.. Guess you could create some script to auto do that for you.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    D 1 Reply Last reply Reply Quote 1
                    • S
                      SCG
                      last edited by

                      we get around 2 entrys a day, but the update between the servers rather quickly so i guess the backup solution isnt the best.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Not really grasping this use case.. How are you using the captive portal exactly? Captive portal is normally used for guests, etc. Why would your company devices that move between locations not be on a different wifi?

                        Could you give some more detail on what your doing exactly with the captive portal and why you need these mac address in more than 1 location?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • S
                          SCG
                          last edited by

                          we also use the captive portal as a mac address filter to block unwanted acccess.
                          some users drive between the 2 factorys in a short time for audits.

                          i would like to sync the whole captive portal between both pfsenses

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            Still not getting the point here... Who exactly are you blocking.. Why would they not just be blocked because they can not auth?

                            So far it seems like busy work..

                            What does this mac address you put in allow or deny.. What happens if you don't put in the mac address?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • S
                              SCG
                              last edited by

                              im using the captive portal as a mac filter.

                              only the mac addresses i allow should access the network.

                              at both factorys.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                On your wired network? Or wireless?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • S
                                  SCG
                                  last edited by

                                  both

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    you do understand that only stops mac address talking to pfsense and beyond - it doesn't stop devices from talking to stuff on the network they are connecting to.

                                    Your going about it the wrong way if what your looking for is a NAC.

                                    So your wireless is OPEN? Mac filtering is not a security method.. Nobody should be able to access your wifi without auth.. Other than a guest network sort of setup, where the captive portal is used to have some bit of control, etc.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      SCG
                                      last edited by

                                      does this allow me to sync to configs between 2 locations too?

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Your nac should really be central controlled, etc.. so yes your nac would control your whole network. no matter how many locations you had.

                                        Something like packetfence would be how you would run a free/lowcost nac..

                                        https://packetfence.org/

                                        While I say low cost and not FREE is because you may need to change out some local hardware to support such a setup, etc. But there are low cost switches and such that can be used. Would really need more details of your network to say.. But mac filtering in the captive portal is not meant as any sort of nac..

                                        Lets say you have a switch, and I plug in device... I can talk to anything on that network - all your captive portal mac filter does is prevent me from talking to or past pfsense. it doesn't actually prevent me from getting on the network.

                                        Which is is why trying to understand what exactly your wanting to accomplish to find the best solution... Other than syncing some mac filter list between pfsense boxes.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          SCG
                                          last edited by

                                          okay, i understand your point now.
                                          could i automaticlly put non "authed" hosts on a seperate vlan/ip range ?
                                          of course you could bypass that with a static ip.

                                          is there a packetfence integration with pfsense ?

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            deniz.sahan @johnpoz
                                            last edited by

                                            @johnpoz Hello ı also created a script for this.
                                            So ı am taking mac information from one captive portal and transfer it to the other one.
                                            Here I am using config.xml but after each time to send <passthrumac> do ı have to reboot the system.
                                            Without rebooting it is not effective. :(

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.