How to trust a device by MAC address coming from WAN
-
We hace some tablets the are cellular based and road around the country. We know the mac addresses of these devices and would like to setup an allow list so that SNORT will stop blocking them randomly. I see you can do that by IP but in our case the IP changes as they roam to new areas. How can we set the pfsense box to trust a mac address ?
-
Are you able to install a dynamic DNS client on them? Then you could trust by hostname. pfSense will update aliases every 5 minutes I think. I don't recall Snort/Suricata but I am pretty sure it's come up before if you look through the IDS subforum.
-
@remember mac address you would see on your wan is only ever going to be the device of the upstream your wan is connected too..
The ddns is one way to do it, or you could just let these devices vpn in to pfsense..
-
Pfsense will never see a MAC address for those devices. A MAC address is not passed by routers.
-
Would a MAC address even make it through the VPN? No it wouldn't. There is no way pfsense can see the MAC address of a device that's beyond a router. A dyndns server wouldn't see the MAC address either. A MAC address does not make it off the local link, ever, unless carried as data.
I'm really surprised at you on this one. I thought you knew better.
-
@remember You have to do this a different way. Apple's iOS devices support IPSEC VPN connections right out of the box. Create an IPSEC VPN server on your pfsense box, turn it on, and connect your mobile devices thru the VPN. Then you can get at internal servers and services on your network. I do this at work with my iphone all the time and it works very well.
If you're having trouble, I'll see if I can dig up some instructions.
EDIT - Here, I quickly skimmed thru this video and it looks like how I set mine up a couple of years ago. Give it a try and see how it works.
https://www.youtube.com/watch?v=TIqcNVsnLqk
-
@jknott said in How to trust a device by MAC address coming from WAN:
I'm really surprised at you on this one.
who said anything about mac through teh vpn?? The point of the vpn is you have authed the client and you know who it is - never said anything about using mac after the vpn.. Doesn't matter what IP they are coming from - if they auth to the vpn, and should have the cert you issued them as part of the auth as well - your pretty freaking sure its your tablet, etc.
That you didn't understand that seems odd..
-
Yeah, sorry about that. After I posted I realized I misread what you said. I know VPNs etc., can be used to authenticate, but I was still thinking about the original request to filter on MAC, which of course will not pass through a VPN. I guess I should have had another beer before I replied.
Still, there are a lot of people who seem to think both IP and MAC addresses reach the destination, including in this forum.
-
@jknott said in How to trust a device by MAC address coming from WAN:
Still, there are a lot of people who seem to think both IP and MAC addresses reach the destination, including in this forum.
Yep! And it makes me wonder about their other network security skills when they lack such basic understanding of how Ethernet IP networks operate .
-
@remember dear sir please note suricata or snort are IDS scanners so its better use this on Lan side not on wan side to overload performance.
for mac trust use ovpn client and trust will be assured by binding mac on that OVPN ID or depends as per your need.thanks