Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Preventing mac address spoofing

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    5 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ageis
      last edited by

      Hi

      I want to control which devices are able to access my network.

      I can foresee more technical users just spoofing the mac adress to get around it.

      Is there a way in PFSENSE I can prevent mac address spoofing?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @ageis
        last edited by

        @ageis

        No, not if they're cloning the address. There is a bit in the MAC that supposed to show a locally assigned address, but cloning seems to get around that.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          You mean like with your captive portal? Or you doing static arp?

          The best way to deal with that sort of thing would be with 802.1x, ie setting up NAC at your layer 2 devices.. This way the device has to actually auth to get on the network.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • A
            ageis
            last edited by

            Sorry if am am not clear enough.

            I want to controll who is able to connect to my Ubitquti AP via mac.
            However if one knows the mac address of one of my devices, you could protentially connec to the wifi.

            Is there a way I stop this?

            Also what is NAC? Never heard of it.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Network Access Control (NAC)... Also called PNAC, Port Network Access Control.. Take a look at Packet Fence as a way to run this on your network.

              I want to control who is able to connect to my Ubitquti AP via mac.

              That is just stupid.. As you already understand mac spoofing is so easy anyone with access to google could figure it out.. This is why you would AUTH to get on your wifi.. Ie the PSK would need to be known, or you could get more advanced and use enterprise with need to auth with username/password - or better yet eap-tls, where they also need a certificate assigned by you to that device, etc. etc..

              Mac filtering can be used for say a control method of saying kids tablet can not connect between the hours of 10pm and 7am or something... But its not actually a valid security method.

              Require your wireless devices to auth, use a strong PSK and do not share it with people you do not want to access. If you want user A that has your psk, not to be able to connect device X.. Then use another control method other than mac address if your worried about the user also spoofing the mac address and they know the PSK or other eap method.. For example you could require eap-tls that is tied to the device.

              Most of this is outside the realm of pfsense to be honest.. While you could run the freeradius package on pfsense to provide better means of authing.. While you can do stuff with static arp, and captive portal to control via mac on pfsense, it is a L3 firewall.. And while captive portal and static arp can be used as a control method for mac address.. It can not prevent spoofing of a mac that is allowed.

              Look into 802.1x as way to auth a client other mac address.

              I use the freerad package and eap-tls to auth to my trusted wifi network.. Only devices that have a cert issued by me can auth to this network.. Now in theory if they had a second device, they could export this cert and install on a 2nd device, etc. But this is much more involved than just spoofing a mac.. And if the device is a work device, they would have to have the appropriate permissions on the device to export it to put on a personal device - which they should not have, etc.

              But no matter the method of the auth, if a user has it - be it a psk, username/password, mac address, cert, etc. It can be difficult to control them from using that on another device. You could look to 3rd party supplicant software that would auth to your 802.1x controls.. So they would also need to be able to install this software on their device to be able to auth.. This agent would also be controlled by you and only installed on devices you want to allow on the network be it wireless or wired even.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.