Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MAC Address Spoofing

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 3 Posters 8.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      If you run a pcap on the NIC you will see the PPPoE encapsulated traffic like:

      16:21:10.098291 00:0d:b4:0c:ae:d6 > 20:e0:9c:df:c3:7b, ethertype PPPoE S (0x8864), length 51: PPPoE  [ses 0xb19] IP (0x0021), length 31: (tos 0x0, ttl 64, id 22510, offset 0, flags [none], proto ICMP (1), length 29)
    146.x.x.x > 8.8.8.8: ICMP echo request, id 48664, seq 54376, length 9
16:21:10.104389 20:e0:9c:df:c3:7b > 00:0d:b4:0c:ae:d6, ethertype PPPoE S (0x8864), length 60: PPPoE  [ses 0xb19] IP (0x0021), length 31: (tos 0x60, ttl 118, id 0, offset 0, flags [none], proto ICMP (1), length 29)
    8.8.8.8 > 146.x.x.x: ICMP echo reply, id 48664, seq 54376, length 9

      The MAC is required for layer 2 to work. Your ISP could see it if they cared.

      You can leave the assigned parent interface set as IPv4 NIC type 'none'. Or, if you assign it an IP in the same subnet as the modem you can use that to access the modem if needed.

      Steve

      J 1 Reply Last reply Reply Quote 0
      • J Offline
        JollyCloudyCheergoose @stephenw10
        last edited by JollyCloudyCheergoose

        @stephenw10 To run the pcap on the NIC, you are using Wireshark?

        Also if I go under:
        Interfaces → Assignments → Interface Assignments
        It lists the MAC address of all interfaces but my spoof isn't there, while it is appearing in the text box of editing that individual interface

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          I used the pfSense webgui for that in Diag > Packet Capture.

          You should see the spoofed MAC address in Status > Interfaces if it has been applied. You can also see it in the output of ifconfig like:

          [2.7.0-DEVELOPMENT][admin@cedev.stevew.lan]/root: ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: webserver
	options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
	ether 00:11:22:33:44:55
	hwaddr d2:43:8f:91:74:e7
	inet6 fe80::211:22ff:fe33:4455%em0 prefixlen 64 scopeid 0x1
	inet 172.25.10.1 netmask 0xffffff00 broadcast 172.25.10.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

          Steve

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            JollyCloudyCheergoose @stephenw10
            last edited by

            @stephenw10 Okay on ifcongig it is showing up. And now it's showing up in the Interface Assignments as well. So you helped me and fixed the problem! Thank-you so much

            Under Diagnostic -> Packet Capture, it doesn't show me any MACs tho, just IP addresses

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              You have to set the Level of Detail higher to see MACs displayed. Note that doesn't change what is actually captured, only what the pfSense GUI shows you.

              Steve

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.