• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Filtering specific devices, using mac-based Policy Filtering

Scheduled Pinned Locked Moved Firewalling
28 Posts 5 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    louis2
    last edited by Jul 8, 2020, 7:01 AM

    Hello,

    IMHO good IPV6-firewalling is only possible with the addition of MAC based filtering. See my thread “FW-rules related to an specific "IPV6-device". So I am looking for options to archive that.

    Regrettable pfSense does not support mac-based firewall rules, however pfSense does support “Policy Based Filtering” (Filter rules advanced).

    Policy Based routing is based on the idea to Tag an ethernet frame in rule-1 and to use that tag in rule-2.

    And … the trick is ... that it should be possible to set that tag on ethernet level, based on source mac of one of your devices in one of your own directly pfSense attached (v)lans.

    Any one knowing how to do that in pfSense?
    Any one experiences with that?

    Of course it would be a terrific idea if it could be implemented in the Gui ☺ ☺

    Louis
    Also see e.g. http://www.openbsd.org/faq/pf/tagging.html

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 8, 2020, 2:57 PM

      pf does not see L2 info, and the tags have to be set by and read by pf, so that isn't possible.

      Also, IPv6 filtering by MAC is just as inaccurate as IPv4. IPv6 hosts are identified by their DUID, not MAC. But the DUID is not visible in packets.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • L
        louis2
        last edited by Jul 8, 2020, 4:27 PM

        @jimp

        No DUID should never/not be used. It is not stable. The MAC-address is(!) appart from spoofing.

        There are a significant number of Firewall out there which do support MAC-filtering. For exactly the indicated problem (you can use it in a combined IPV4/IPV6-rule as well).

        Yep, I know that pf does not support mac filtering, however as far as my knowledge goes, tags are stored in the ethernet frame and pf can read the frames. It even does already do so ☺ in case of the allready pfSense supported policy based routing.

        So if there is a functionality in layer-2 which set that tag before the frame arrives at pf, pf should be able to deal with it.

        As example see the link in the first post (not the best one, but it gives some idea).

        Louis

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jul 8, 2020, 4:35 PM

          You are wrong. The DUID is stable for every interface on a host since it identifies the host itself uniquely. MAC addresses and IAID values vary by interface. A host will have the same DUID no matter what interface it uses.

          MAC address randomization for privacy is also a thing. Evading MAC address blocks is trivial.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          J 1 Reply Last reply Jul 8, 2020, 5:55 PM Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Jul 8, 2020, 4:53 PM

            Some reading:

            https://tools.ietf.org/html/rfc8415#section-11

            https://tools.ietf.org/html/rfc7844

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • L
              louis2
              last edited by Jul 8, 2020, 5:13 PM

              @jimp

              I will read the documentation carefully, but I have some doubts about DUID stabiltiy.
              ...... and I never heard about DUID filtering .....

              I understand that the DUID is created by the node/computer/IoT device itself. I believe that there are 3 types of DUID:

              DUID-LLT = link layer address plus timestamp
              Vender assigned unique ID based on manufacturer
              Link layer address
              

              A probem with macs could be, depending on use case, that you can assign multiple IP to one MAC. So you would block every thing, that could be an advantage or a disadvantage.

              As said I will read the docs.

              J 1 Reply Last reply Jul 8, 2020, 5:59 PM Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Jul 8, 2020, 5:17 PM

                You wouldn't filter by DUID, necessarily, but you would assign static addresses based on the DUID and filter on the statics. Naturally someone could change their address to static and get around that, too, but it's as good as other methods in that regard, plus has the benefit of catching wired and wireless versions of the same client. Of course that doesn't help SLAAC or link-local. IPv6 has done a lot to enable user privacy, but it's a nightmare for network admins if you need to corral malicious users.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                J 1 Reply Last reply Jul 8, 2020, 5:57 PM Reply Quote 0
                • L
                  louis2
                  last edited by Jul 8, 2020, 5:33 PM

                  @jimp,

                  My first impression is that that only helps for incoming and not for outgoing (as seen from the "device" to filter.

                  If my impression is correct ..... , it is not / far from "an optimal" solution

                  Louis

                  Note that an average IP-device has lots of IP-addresses …….
                  IPv6 Address. . . . . . . . . . . : 2001🔤:axyz:1cd::33(Preferred)
                  IPv6 Address. . . . . . . . . . . : 2001🔤:axyz:1cd::f34b(Preferred)
                  IPv6 Address. . . . . . . . . . . : 2001🔤:axyz:1cd:a827:d6e7:38b0:7beb(Preferred)
                  Temporary IPv6 Address. . . . . . : 2001🔤:axyz:1cd:a02f:8726:d593:c682(Preferred)
                  Link-local IPv6 Address . . . . . : fe80::a827:d6e7:38b0:7beb%3(Preferred)

                  1 Reply Last reply Reply Quote 0
                  • J
                    JKnott @jimp
                    last edited by Jul 8, 2020, 5:55 PM

                    @jimp said in Filtering specific devices, using mac-based Policy Filtering:

                    You are wrong. The DUID is stable for every interface on a host since it identifies the host itself uniquely. MAC addresses and IAID values vary by interface. A host will have the same DUID no matter what interface it uses.
                    MAC address randomization for privacy is also a thing.

                    I thought the DUID was for use with DHCPv6 and would not be in every packet, as required for a firewall. Also, while I am aware of MAC spoofing, I haven't heard of MAC randomization. IPv6 privacy addresses use random numbers though.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • J
                      JKnott @jimp
                      last edited by Jul 8, 2020, 5:57 PM

                      @jimp said in Filtering specific devices, using mac-based Policy Filtering:

                      You wouldn't filter by DUID, necessarily, but you would assign static addresses based on the DUID and filter on the statics.

                      That would require using DHCPv6 on the LAN side, where SLAAC is often used. With SLAAC, you can have up to 7 privacy addresses and you get a fresh one every day.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • J
                        JKnott @louis2
                        last edited by Jul 8, 2020, 5:59 PM

                        @louis2 said in Filtering specific devices, using mac-based Policy Filtering:

                        that you can assign multiple IP to one MAC.

                        That's entirely normal with IPv6. With SLAAC, GUA, ULA and link local addresses, I have up to 17 different IPv6 addresses for each MAC.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • L
                          louis2
                          last edited by Jul 8, 2020, 6:16 PM

                          @JKnott,

                          Yep, of course all you wrote is true ! , thats exactly the reason I advocate for MAC-filtering !
                          ☺

                          Louis

                          1 Reply Last reply Reply Quote 0
                          • J
                            jimp Rebel Alliance Developer Netgate
                            last edited by Jul 8, 2020, 6:17 PM

                            Right, you don't see the DUID in a packet, but it is used to uniquely identify a host. MAC addresses are no longer considered a reliable unique host identifier. They are used in some places to help form certain kinds of automatic addresses, but they can be changed/randomized/etc. See my link to RFC 7844 above which has info on it (though some is still theoretical)

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            J 1 Reply Last reply Jul 8, 2020, 6:24 PM Reply Quote 0
                            • L
                              louis2
                              last edited by Jul 8, 2020, 6:21 PM

                              @jimp

                              I need something which can be used for incomming and for outgoing and which is stable appart from spoofing!

                              Louis

                              1 Reply Last reply Reply Quote 0
                              • J
                                JKnott @jimp
                                last edited by Jul 8, 2020, 6:24 PM

                                @jimp

                                Once again, you don't see DUID on the wire, except with DHCPv6. This means you cannot filter on it and would require DHCPv6 to assign addresses. That brings us to the problem where (for some idiotic reason) Android devices can't use DHCPv6.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by Jul 8, 2020, 6:29 PM

                                  And pf can't filter based on MACs, so that's a dead end and not a possibility.

                                  Also you can't do MAC filtering on traffic inbound from the Internet to local hosts so that doesn't help you in that direction anyhow.

                                  "stable apart from spoofing" is meaningless since unless you isolate and filter clients properly at L1/L2 (read: switches and APs) everything can be spoofed.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  J 1 Reply Last reply Jul 8, 2020, 6:45 PM Reply Quote 0
                                  • J
                                    JKnott @jimp
                                    last edited by Jul 8, 2020, 6:45 PM

                                    @jimp

                                    I built my first firewall with Slackware Linux and IPChains, later SUSE and IPTables. I don't remember about IPChains, but IPTables could definitely filter on MAC addresses. The reason I switched to pfSense was because Linux didn't work with DHCPv6-PD.

                                    Also you can't do MAC filtering on traffic inbound from the Internet to local hosts so that doesn't help you in that direction anyhow.

                                    Yep. I was at a Linux meeting a few years ago, where I had to correct the presenter on that point.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bmeeks
                                      last edited by bmeeks Jul 8, 2020, 6:46 PM Jul 8, 2020, 6:45 PM

                                      In a manner of speaking, widespread adoption of IPv6 in the future is going to just about send firewalls the way of the horse and buggy ... ☺. There is, of course, some hyperbole in that statment, but ...

                                      Individual client security/monitoring/policing will get way harder than today since a given client can have a ton of addresses. Sure you will still be able to do subnet-level stuff, but individual host stuff gets orders of magnitude harder.

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        louis2
                                        last edited by Jul 8, 2020, 6:46 PM

                                        @jimp

                                        If I have a computer or an IoT device I want to limit in its behavior, it will be very unlikely that it is spoofed.

                                        And if I was afraid of that, I could try to detect that!

                                        Of course you can only filter on MACs related to my own network, but with that limitation, I do not see a reason why I could filter based on starting mac (in vlan-1) or on destination mac (in vlan-2).

                                        Of course given a situation, where level-2-tags could be read by pf (I think vlanid is one of them)

                                        So I would not be surprised if pf could do that! It is almost identical to policy based routing. But of course that should be checked with a high level expert.

                                        I know that it is possible on OpenBSD and elsewhere, but of course that does not necessary that it is also possible on freebsd/pf combination.

                                        Louis

                                        J 1 Reply Last reply Jul 8, 2020, 6:48 PM Reply Quote 0
                                        • J
                                          JKnott @louis2
                                          last edited by Jul 8, 2020, 6:48 PM

                                          @louis2

                                          Of course, this is a FreeBSD problem, not pfSense, due to the pf filtering that FreeBSD uses. If it used IPTables, it wouldn't be an issue. So, this problem really should go back to the FreeBSD folks.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          1 out of 28
                                          • First post
                                            1/28
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received