pfsense colocation sharing the same mac address filter

SCG

Hey,
im would like to setup 2 Pfsense systems what copy each others mac address filter.

is there a way todo this ?

Thanks

johnpoz

Which mac addresses? Captive Portal, Static Arp? Dhcpd allow/deny listing?

I take it these pfsense installs are not in a HA pair? Is this mac address list something that will be somewhat static and only be changed now and then or is something dynamic your going to be constantly changing?

SCG

yes im speaking about the captiv portal,
it is not a HA setup, both pfsenses are at a different location

johnpoz

https://www.netgate.com/docs/pfsense/highavailability/configuring-high-availability.html

Everyone now has access to the book so here
https://www.netgate.com/docs/pfsense/book/highavailability/index.html

Location doesn't mean they couldn't be in HA.. You just have an extended vlan between the 2 locations. We run multiple HA setups of all kinds of systems router/firewall in different DCs that are miles and miles apart.

If they are in different locations why would the captive portal mac address come into play.. Users that frequent both locations?

SCG

just updated my post please reread it.

johnpoz

Just edited mine as well ;)

SCG

if i understood it correctly it shares to config completely, we have 2 different subnets (2 different factorys) with 2 different public ips

johnpoz

If they are 2 different locations why would you need to have the same captive portal mac address list? Users move between these locations.

How often do you have to add/edit this list? Make the 2 edits directly? You could always just grab the passthrumac list from captiveportal backup section?

<passthrumac>
<action>pass</action>
<mac>00:00:00:01:02:03</mac>
<descr><![CDATA[test]]></descr>
</passthrumac>

And edit the xml directly.. Guess you could create some script to auto do that for you.

SCG

we get around 2 entrys a day, but the update between the servers rather quickly so i guess the backup solution isnt the best.

johnpoz

Not really grasping this use case.. How are you using the captive portal exactly? Captive portal is normally used for guests, etc. Why would your company devices that move between locations not be on a different wifi?

Could you give some more detail on what your doing exactly with the captive portal and why you need these mac address in more than 1 location?

SCG

we also use the captive portal as a mac address filter to block unwanted acccess.
some users drive between the 2 factorys in a short time for audits.

i would like to sync the whole captive portal between both pfsenses

johnpoz

Still not getting the point here... Who exactly are you blocking.. Why would they not just be blocked because they can not auth?

So far it seems like busy work..

What does this mac address you put in allow or deny.. What happens if you don't put in the mac address?

SCG

im using the captive portal as a mac filter.

only the mac addresses i allow should access the network.

at both factorys.

johnpoz

On your wired network? Or wireless?

SCG

both

johnpoz

you do understand that only stops mac address talking to pfsense and beyond - it doesn't stop devices from talking to stuff on the network they are connecting to.

Your going about it the wrong way if what your looking for is a NAC.

So your wireless is OPEN? Mac filtering is not a security method.. Nobody should be able to access your wifi without auth.. Other than a guest network sort of setup, where the captive portal is used to have some bit of control, etc.

SCG

does this allow me to sync to configs between 2 locations too?

johnpoz

Your nac should really be central controlled, etc.. so yes your nac would control your whole network. no matter how many locations you had.

Something like packetfence would be how you would run a free/lowcost nac..

https://packetfence.org/

While I say low cost and not FREE is because you may need to change out some local hardware to support such a setup, etc. But there are low cost switches and such that can be used. Would really need more details of your network to say.. But mac filtering in the captive portal is not meant as any sort of nac..

Lets say you have a switch, and I plug in device... I can talk to anything on that network - all your captive portal mac filter does is prevent me from talking to or past pfsense. it doesn't actually prevent me from getting on the network.

Which is is why trying to understand what exactly your wanting to accomplish to find the best solution... Other than syncing some mac filter list between pfsense boxes.

SCG

okay, i understand your point now.
could i automaticlly put non "authed" hosts on a seperate vlan/ip range ?
of course you could bypass that with a static ip.

is there a packetfence integration with pfsense ?

deniz.sahan

@johnpoz Hello ı also created a script for this.
So ı am taking mac information from one captive portal and transfer it to the other one.
Here I am using config.xml but after each time to send <passthrumac> do ı have to reboot the system.
Without rebooting it is not effective. :(