[Solved]: MAC deny or allow lists



  • Hi,

    Is there a way to load a file of MAC addresses for MAC deny or allow under DHCP?
    Typing a MAC address into a text box seems quiet inefficient and error prone so hoping there is a better way of loading a file.
    Thanks,

    Pankaj



  • @pankaj13

    PfSense doesn't filter on MAC addresses.



  • @JKnott
    What you said is true (excepting captive portal functions), but that's not what he asked.
    The DHCP Server has input boxes for MAC addresses to allow or deny from DHCP.
    @pankaj13
    As far as I know, you have to type/paste those into the input box unless you want to edit the config and reload the dhcp section. (which I've never attempted)



  • Thanks @JKnott and thanks to @Dotdash for adding clarification and the intent of my query.

    The UI pfSense has for creating Port and IP aliases is really nice as you can write some descriptive notes and revisit to revise/update entries. The single text box of MAC deny/allow tends to get clunky over time but it is likely that I may be using it incorrectly.

    Here is a brief description of my home network:

    • The pfSense machine has three ethernet slots which I am using for WAN, LAN1 & LAN2
    • LAN1 is the main network and all the devices (wired or wireless) have a static IP assigned under DHCP server.
    • LAN2 is more experimental and also available to all guests or unknown/temp devices

    Also set “Deny unknown clients” to “yes” on LAN1 which prohibits any unknown or less trusted device from ever venturing into LAN1.

    But the challenge I was running into was that few of the LAN1 device (particularly wireless ones) were able to get IP address assigned under LAN2. To overcome this, I added all the home devices (25+) in LAN2 DHCP under “MAC Deny” so that these devices would never get a LAN2 address. So hopefully you can understand my challenge with adding 25+ MAC address in a single text field and hence the reason for my query.

    Is there an easier way to do this or I am just complicating my life?



  • Freeradius 802.1x pop in your trusted mac addresses and set up the switches.

    Set the LAN2 vlan to be your guest vlan.

    Configure your switch & ports for 802.1x.

    Any macs not registered in freeradius automatically join LAN2.



  • @NogBadTheBad Thanks! I did take a look at FreeRadius and had no prior experience of it so it seems like a steep learning curve but looks promising. I solved the problem my writing a manaul Google Spreadsheet from which I can copy and paste.
    If you know of any easier resource for FreeRadiu newbie please post here - all the links I got in search were for more sophisticated use cases and my requirements are quiet simple.


Log in to reply