Block by MAC address to LAN
-
Just use regular firewall rules to limit IPs or ranges.
-
@netboy this is so off the rails.. Stop calling it an interface when its a network..
From you link to your thread from 2022 going over your setup you have this
So you have two networks 192.168.0 and 172.16.0 - But have yet to describe how your wireless connects into this, nor is it shown on this drawing anywhere.
But you have stated your users can connect to either? but you only want them using one of these, but you can't change the password because they need access?
If you have resources in network 1 that your users need access to, then create firewall rules on network 2, and only allow them access to what you want them to have access.. They should not be able to connect to network 1 via wifi..
You can control this via setting a reservation for their mac that gets a specific IP.. If they are using random mac they won't have access, user changing mac again won't get access user trying to set a IP won't get access unless they have the correct mac.. You can lock that down with a static arp setup where IP X has to have mac ABC.
Now users have zero need to even know what the psk for your ssid that connects to network 1. You don't need to stop handing out IPs via dhcp, you don't have to do any mac filter..
-
@johnpoz said in Block by MAC address to LAN:
You can control this via setting a reservation for their mac that gets a specific IP
Thank for taking the time to explain things.
Let me answer your questions first:
I have a wifi extender one for 192.168.xxx & one for 172/.16.xxxI am not going to pretend I understand what you are saying.
Let me try to explain what I want accomplished.
Please ignore my heading on the subject "BLock by MAC address to LAN"192.168.xxx is my private lan and all my IoT are in 172.16.xxx. Folks here helped me to have firewall rules such that 192.168.xxx can talk to 172.16.xxx but not the other way around.
I want to "restrict" by mac address who can connect to 192.168.xxx - I have assigned all the mac address with static IP.
What is the simplest way to have white list of IP's that can connect to 192.168.xxx?
For example let us say an IoT (tablet) has been assigned a static IP from 172.16.xxx and this tablet (remember my family has passwords for both wifi 192.168.xxx and 172.16.xxx) must not be able to connecto 192.168.xxx.
Kindly let me know If my explanation makes sense?
Again thank you for taking the time to answer my question.
-
The easiest way I would think is to filter the MAC address(es) in the WiFi access point(s) connected to the 192.168.x.x subnet.
And whitelisting allowed MACs only there prevents random MAC devices.
-
@stephenw10 said in Block by MAC address to LAN:
The easiest way I would think is to filter the MAC address(es) in the WiFi access point(s) connected to the 192.168.x.x subnet.
I have a dedicated switch connected to 192.168.xxx and a wifi extender is connected to this switch.
The switch I am using is tplink TL-SG2210P. Here is the screenshot.
Do I need to "add" the list of mac addresses that are ALLOWED here?
Must I also include the mac address of the wifi extender connected to this switch as well?
OR
,Must I include the mac filtering on the wifi extender (screenshot below):
! -
Right so adding the MAC addresses you want to allow in an allow list in the AP there will do it.
-
Why do you insist on making this so complicated? Just use a different ssid and psk for the one you don't want them to use.. How would they know?
Change the ssid to Thesearenotdrioidsyourlooking or something..
-
I think I get it :
@netboy said in Block by MAC address to LAN:
(remember my family has passwords for both wifi 192.168.xxx and 172.16.xxx) must not be able to connect to 192.168.xxx.
He wants both APs to be used for greater Wifi covarage.
But, when family use the AP that is placed in "192.168.xxx." they could also access other devices in that same network **, like the ones he doesn't want to share with them.If so, a solution :
Set up DHCP static lease(s) for your own device(s).
On the device that you won't your family to have access to : use the firewall on that device so it gives only your own IPs (your PC, your phone, etc) access (and the pfSense gateway), block the rest = your family.
The other, 172.16.xxx network : a pfSense interface rule can handle this.No need for MAC rules now ^^
** : If the AP has AP Isolation : activate that - it will allow them (but also you when connected to that AP) to access only the gateway, not the other, same network, devices.
-
@johnpoz I think I need to explain...
The 192.168.xxx is meant for secure computers to connect to wifi extender.
It is OK for computers to connect to 192.168.xxx but it is "not OK" for other than computers to connect (example tablets and phones).
This is the reason I want mac address filtering to avoid connecting tablets / phones to this SSID. I have to share the SSID/password so that they can connect their computers (static ip for mac) to 192.168.xxx
-
@netboy I only allow eap-tls auth to my "trusted" wifi network. You could issue the certs and install on their PCs - but not on their portable devices.
What is the point of allowing them to connect to both with their PC.. Why would they switch between the 2 in the first place.
But yeah if its just a psk they would be able to use that on any device to connect. But why would they? This is your family right - tell them use ssid B for their tablets/phones and ssid A for their PC. And don't even give them the psk to be honest. You connect the pc to the ssid you want them to connect too.
Sure they know the psk they could use it on any device they want. That is why you use a more strict auth method on a trusted SSID. I find it highly unlikely they would have the know how to export a cert you installed on their PCs and move it to their mobile devices.
