• Hi

    I want to control which devices are able to access my network.

    I can foresee more technical users just spoofing the mac adress to get around it.

    Is there a way in PFSENSE I can prevent mac address spoofing?


  • @ageis

    No, not if they're cloning the address. There is a bit in the MAC that supposed to show a locally assigned address, but cloning seems to get around that.

  • LAYER 8 Global Moderator

    You mean like with your captive portal? Or you doing static arp?

    The best way to deal with that sort of thing would be with 802.1x, ie setting up NAC at your layer 2 devices.. This way the device has to actually auth to get on the network.


  • Sorry if am am not clear enough.

    I want to controll who is able to connect to my Ubitquti AP via mac.
    However if one knows the mac address of one of my devices, you could protentially connec to the wifi.

    Is there a way I stop this?

    Also what is NAC? Never heard of it.

  • LAYER 8 Global Moderator

    Network Access Control (NAC)... Also called PNAC, Port Network Access Control.. Take a look at Packet Fence as a way to run this on your network.

    I want to control who is able to connect to my Ubitquti AP via mac.

    That is just stupid.. As you already understand mac spoofing is so easy anyone with access to google could figure it out.. This is why you would AUTH to get on your wifi.. Ie the PSK would need to be known, or you could get more advanced and use enterprise with need to auth with username/password - or better yet eap-tls, where they also need a certificate assigned by you to that device, etc. etc..

    Mac filtering can be used for say a control method of saying kids tablet can not connect between the hours of 10pm and 7am or something... But its not actually a valid security method.

    Require your wireless devices to auth, use a strong PSK and do not share it with people you do not want to access. If you want user A that has your psk, not to be able to connect device X.. Then use another control method other than mac address if your worried about the user also spoofing the mac address and they know the PSK or other eap method.. For example you could require eap-tls that is tied to the device.

    Most of this is outside the realm of pfsense to be honest.. While you could run the freeradius package on pfsense to provide better means of authing.. While you can do stuff with static arp, and captive portal to control via mac on pfsense, it is a L3 firewall.. And while captive portal and static arp can be used as a control method for mac address.. It can not prevent spoofing of a mac that is allowed.

    Look into 802.1x as way to auth a client other mac address.

    I use the freerad package and eap-tls to auth to my trusted wifi network.. Only devices that have a cert issued by me can auth to this network.. Now in theory if they had a second device, they could export this cert and install on a 2nd device, etc. But this is much more involved than just spoofing a mac.. And if the device is a work device, they would have to have the appropriate permissions on the device to export it to put on a personal device - which they should not have, etc.

    But no matter the method of the auth, if a user has it - be it a psk, username/password, mac address, cert, etc. It can be difficult to control them from using that on another device. You could look to 3rd party supplicant software that would auth to your 802.1x controls.. So they would also need to be able to install this software on their device to be able to auth.. This agent would also be controlled by you and only installed on devices you want to allow on the network be it wireless or wired even.