pfsense colocation sharing the same mac address filter



  • Hey,
    im would like to setup 2 Pfsense systems what copy each others mac address filter.

    is there a way todo this ?

    Thanks


  • Rebel Alliance Global Moderator

    Which mac addresses? Captive Portal, Static Arp? Dhcpd allow/deny listing?

    I take it these pfsense installs are not in a HA pair? Is this mac address list something that will be somewhat static and only be changed now and then or is something dynamic your going to be constantly changing?



  • yes im speaking about the captiv portal,
    it is not a HA setup, both pfsenses are at a different location


  • Rebel Alliance Global Moderator

    https://www.netgate.com/docs/pfsense/highavailability/configuring-high-availability.html

    Everyone now has access to the book so here
    https://www.netgate.com/docs/pfsense/book/highavailability/index.html

    Location doesn't mean they couldn't be in HA.. You just have an extended vlan between the 2 locations. We run multiple HA setups of all kinds of systems router/firewall in different DCs that are miles and miles apart.

    If they are in different locations why would the captive portal mac address come into play.. Users that frequent both locations?



  • just updated my post please reread it.


  • Rebel Alliance Global Moderator

    Just edited mine as well ;)



  • if i understood it correctly it shares to config completely, we have 2 different subnets (2 different factorys) with 2 different public ips


  • Rebel Alliance Global Moderator

    If they are 2 different locations why would you need to have the same captive portal mac address list? Users move between these locations.

    How often do you have to add/edit this list? Make the 2 edits directly? You could always just grab the passthrumac list from captiveportal backup section?

    <passthrumac>
    <action>pass</action>
    <mac>00:00:00:01:02:03</mac>
    <descr><![CDATA[test]]></descr>
    </passthrumac>
    

    And edit the xml directly.. Guess you could create some script to auto do that for you.



  • we get around 2 entrys a day, but the update between the servers rather quickly so i guess the backup solution isnt the best.


  • Rebel Alliance Global Moderator

    Not really grasping this use case.. How are you using the captive portal exactly? Captive portal is normally used for guests, etc. Why would your company devices that move between locations not be on a different wifi?

    Could you give some more detail on what your doing exactly with the captive portal and why you need these mac address in more than 1 location?



  • we also use the captive portal as a mac address filter to block unwanted acccess.
    some users drive between the 2 factorys in a short time for audits.

    i would like to sync the whole captive portal between both pfsenses


  • Rebel Alliance Global Moderator

    Still not getting the point here... Who exactly are you blocking.. Why would they not just be blocked because they can not auth?

    So far it seems like busy work..

    What does this mac address you put in allow or deny.. What happens if you don't put in the mac address?



  • im using the captive portal as a mac filter.

    only the mac addresses i allow should access the network.

    at both factorys.


  • Rebel Alliance Global Moderator

    On your wired network? Or wireless?



  • both


  • Rebel Alliance Global Moderator

    you do understand that only stops mac address talking to pfsense and beyond - it doesn't stop devices from talking to stuff on the network they are connecting to.

    Your going about it the wrong way if what your looking for is a NAC.

    So your wireless is OPEN? Mac filtering is not a security method.. Nobody should be able to access your wifi without auth.. Other than a guest network sort of setup, where the captive portal is used to have some bit of control, etc.



  • does this allow me to sync to configs between 2 locations too?


  • Rebel Alliance Global Moderator

    Your nac should really be central controlled, etc.. so yes your nac would control your whole network. no matter how many locations you had.

    Something like packetfence would be how you would run a free/lowcost nac..

    https://packetfence.org/

    While I say low cost and not FREE is because you may need to change out some local hardware to support such a setup, etc. But there are low cost switches and such that can be used. Would really need more details of your network to say.. But mac filtering in the captive portal is not meant as any sort of nac..

    Lets say you have a switch, and I plug in device... I can talk to anything on that network - all your captive portal mac filter does is prevent me from talking to or past pfsense. it doesn't actually prevent me from getting on the network.

    Which is is why trying to understand what exactly your wanting to accomplish to find the best solution... Other than syncing some mac filter list between pfsense boxes.



  • okay, i understand your point now.
    could i automaticlly put non "authed" hosts on a seperate vlan/ip range ?
    of course you could bypass that with a static ip.

    is there a packetfence integration with pfsense ?


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy