Locking device to static mapping
-
I am controlling kids client devices using static mapping in the DHCP server, (and then fire-walling internet access on a schedule)
Is it possible to reject a device that has a static ip address?
ie: reject a mac address unless it has the desired ip address -
@gil said in Locking device to static mapping:
I am controlling kids client devices using static mapping in the DHCP server, (and then fire-walling internet access on a schedule)
Is it possible to reject a device that has a static ip address?
ie: reject a mac address unless it has the desired ip addressNo, because
pf
, the firewall engine within pfSense, has no way to tell if an IP is static or dynamic. And it really has no reason to care. All it cares about is how the IP matches up to either specific addresses or address segments in the firewall's rules.pf
does not see the MAC address, so it can't filter on it. There have been several threads opened up here on the forum over time asking about MAC address filtering. That's not something the firewall engine does.You can split your network up into VLANs if you have not already. And one VLAN would be for wireless devices. I'm assuming your kids client devices are likely mobile (as in phone or tablet ??), so wi-fi is their ticket onto the network. So you create a VLAN for wi-fi and then put that entire IP subnet into your scheduled firewall rule. That way, even if someone assigns themselves a static IP from that subnet, it still won't work if you block the entire subnet at the firewall. Of course this only works if nothing else is on that subnet but things you want to control. Other wi-fi devices that you don't want to restrict would be assigned to a different, secure SSID in another VLAN.
So there are some technical solutions to your problem, but they have some drawbacks and require a lot of legwork on your part. Perhaps a different non-technology approach to controlling the access might work? Sometimes using a technology approach makes evading it turn into a game for the kids.
-
This post is deleted! -
@bmeeks
But pfSense does see mac addresses, otherwise it would not be able to create static mapping of dhcp devices, or lock out devices based on mac addresses.
I simply would like to lock out a mac address; with an exception for the static mapping. I can then create a firewall rule (layer 3) to schedule access times.
Surely that is not a difficult feature to add? -
@gil said in Locking device to static mapping:
@bmeeks
But pfSense does see mac addresses, otherwise it would not be able to create static mapping of dhcp devices, or lock out devices based on mac addresses.
I simply would like to lock out a mac address; with an exception for the static mapping. I can then create a firewall rule (layer 3) to schedule access times.Parts of pfSense see the MAC address, but the firewall engine itself does not. That's what I meant. The firewall functions are handled by a portion of the kernel's network stack that does not understand nor use the MAC address, thus filtering on that is not possible in firewall rules.
Sure you can use the MAC address for DHCP things, but not for firewall rules.
Surely that is not a difficult feature to add?
Actually, it is. The
ipfw
engine, used by pfSense to implement the Captive Portal has an available patch to let it work with MAC addresses. Butipfw
is not the firewall rules engine in pfSense. That ispf
, hence the name "pf"Sense. Google these terms to learn more: "freebsd pf mac address filtering". I suppose someone could endeavor to patchpf
with the necessary code, but it really makes no sense for a Layer 3 device like pfSense because once you leave the local Layer 2 network (usually the LAN), MAC addresses of clients are stripped away and the MAC address of other NICs is added in. MAC addresses are Layer 2-only constructs, they are not part of Layer 3 and higher where IP addresses live.Requests for MAC address filtering in the firewall engine have been posted several times in the past, and each time the pfSense developers have said "no, it makes no sense for a Layer 3 device". For Captive Portal, which is really Layer 2, MAC address filtering makes sense. Just not for Layer 3, though.
-
A few ideas.
-
Once you have the static mapping, you can give a custom gateway, and you can run that gateway on a schedule. Most devices on the network will connect, but ones with a custom gateway will only work when the gateway is up.
-
A wifi with a schedule controlled wifi radio on and off time - so the radio shuts off during certain times. I used this idea many moons ago before screen time was a problem - and it works great.
-
-
@bmeeks
Thanks for the info. I appreciate the point you are making -
@gil said in Locking device to static mapping:
@bmeeks
Thanks for the info. I appreciate the point you are makingYou do still have some options, abeit they require more work on your side.
My idea with VLANs and multiple SSIDs on wireless will work, but you need VLAN-capable switches and wireless APs.
Also the ideas put forth by @gpfsenser will work.