pfsense colocation sharing the same mac address filter

  • Hey,
    im would like to setup 2 Pfsense systems what copy each others mac address filter.

    is there a way todo this ?


  • LAYER 8 Global Moderator

    Which mac addresses? Captive Portal, Static Arp? Dhcpd allow/deny listing?

    I take it these pfsense installs are not in a HA pair? Is this mac address list something that will be somewhat static and only be changed now and then or is something dynamic your going to be constantly changing?

  • yes im speaking about the captiv portal,
    it is not a HA setup, both pfsenses are at a different location

  • LAYER 8 Global Moderator

    Everyone now has access to the book so here

    Location doesn't mean they couldn't be in HA.. You just have an extended vlan between the 2 locations. We run multiple HA setups of all kinds of systems router/firewall in different DCs that are miles and miles apart.

    If they are in different locations why would the captive portal mac address come into play.. Users that frequent both locations?

  • just updated my post please reread it.

  • LAYER 8 Global Moderator

    Just edited mine as well ;)

  • if i understood it correctly it shares to config completely, we have 2 different subnets (2 different factorys) with 2 different public ips

  • LAYER 8 Global Moderator

    If they are 2 different locations why would you need to have the same captive portal mac address list? Users move between these locations.

    How often do you have to add/edit this list? Make the 2 edits directly? You could always just grab the passthrumac list from captiveportal backup section?


    And edit the xml directly.. Guess you could create some script to auto do that for you.

  • we get around 2 entrys a day, but the update between the servers rather quickly so i guess the backup solution isnt the best.

  • LAYER 8 Global Moderator

    Not really grasping this use case.. How are you using the captive portal exactly? Captive portal is normally used for guests, etc. Why would your company devices that move between locations not be on a different wifi?

    Could you give some more detail on what your doing exactly with the captive portal and why you need these mac address in more than 1 location?

  • we also use the captive portal as a mac address filter to block unwanted acccess.
    some users drive between the 2 factorys in a short time for audits.

    i would like to sync the whole captive portal between both pfsenses

  • LAYER 8 Global Moderator

    Still not getting the point here... Who exactly are you blocking.. Why would they not just be blocked because they can not auth?

    So far it seems like busy work..

    What does this mac address you put in allow or deny.. What happens if you don't put in the mac address?

  • im using the captive portal as a mac filter.

    only the mac addresses i allow should access the network.

    at both factorys.

  • LAYER 8 Global Moderator

    On your wired network? Or wireless?

  • both

  • LAYER 8 Global Moderator

    you do understand that only stops mac address talking to pfsense and beyond - it doesn't stop devices from talking to stuff on the network they are connecting to.

    Your going about it the wrong way if what your looking for is a NAC.

    So your wireless is OPEN? Mac filtering is not a security method.. Nobody should be able to access your wifi without auth.. Other than a guest network sort of setup, where the captive portal is used to have some bit of control, etc.

  • does this allow me to sync to configs between 2 locations too?

  • LAYER 8 Global Moderator

    Your nac should really be central controlled, etc.. so yes your nac would control your whole network. no matter how many locations you had.

    Something like packetfence would be how you would run a free/lowcost nac..

    While I say low cost and not FREE is because you may need to change out some local hardware to support such a setup, etc. But there are low cost switches and such that can be used. Would really need more details of your network to say.. But mac filtering in the captive portal is not meant as any sort of nac..

    Lets say you have a switch, and I plug in device... I can talk to anything on that network - all your captive portal mac filter does is prevent me from talking to or past pfsense. it doesn't actually prevent me from getting on the network.

    Which is is why trying to understand what exactly your wanting to accomplish to find the best solution... Other than syncing some mac filter list between pfsense boxes.

  • okay, i understand your point now.
    could i automaticlly put non "authed" hosts on a seperate vlan/ip range ?
    of course you could bypass that with a static ip.

    is there a packetfence integration with pfsense ?

  • @johnpoz Hello ı also created a script for this.
    So ı am taking mac information from one captive portal and transfer it to the other one.
    Here I am using config.xml but after each time to send <passthrumac> do ı have to reboot the system.
    Without rebooting it is not effective. :(

  • LAYER 8 Global Moderator

    There is no point to pfsense integration with packetfense because the blocking or allowing of devices happens at the switch level.. Not at the router level.

    Sure you could put non auth devices into a different vlan - this fairly simple to setup and is can be done with freeradius package in pfsense and your switches and or AP need to support dynamic vlan assignment. The unifi AP can do that for sure - and can even do dynamic vlan assignment via psk network based on mac. This allows you for you to have say 1 ssid that guests use, and then specific devices via mac could connect to the same ssid auth with the psk, but be placed on a different vlan.

    But the easier way to do it is just ssid1 puts you in guest network vlan, and ssid2 puts you in different vlan that has different access. No need for understanding any mac address or knowing them up front. You give your guest ssid1 and the psk, they auth and are in a guest vlan that has whatever access you want for that vlan - say just internet access. While other devices that need access to other stuff on other vlans auth to ssid2

  • @johnpoz Actually sir, First of all, I am using 3 SG3100 in different locations. According to my scenario, When the guest comes to location1 and he/she can connect to the internet after the captive portal authentication. Then the guest can go to location2 or location3 and he/she can connect to the internet directly without a captive portal or landing page.
    So when ı configured my captive portals ı checked "Pass-through MAC Auto Entry ".
    Here I just want to copy guest mac addresses from mac list of one captive portal and paste it to another one ( like using mac edit button in captiveportal>macs section)
    I already create the script which is read the mac address and copy to config.xml
    <descr><![CDATA[Auto-added for user 5325555555(phone number)]]></descr>

    the script is running and writing the new mac to config.xml but without rebooting it is not effective.

    to summarize, how can ı edit the config.xml without reboot the system?

  • @deniz-sahan said in pfsense colocation sharing the same mac address filter:

    to summarize, how can ı edit the config.xml without reboot the system?

    You could take some info from the config.xml on site A - but, as you already found out, if you store it in the config.xml on site B : the info isn't taken in account.
    On site B, your script should be (partially) PHP based. You should use the PHP code that already exists, the same one that the GUI is using - to apply and store the info.
    See this file http://your-pfsense//services_captiveportal_mac.php?zone=yourzone how it's done.