Block Random Mac addresses no longer possible | 24.11
-
Re: How to block randomized MAC addresses?
This method used to work for blocking randomly generated mac addresses from being able to obtain a dhcp lease. No longer works on 24.11.
This does still work on Community 2.7.2
-
@neuf_16 which of the discussed method are you trying to implement?
Are you using the 'MAC Deny' feature and if yes which DHCP server is pfSense+ set to use, ISC DHCP or KEA?
-
Using ISC. This method
"" Go to Services --> DHCP Server
Scroll down to MAC Deny.
Paste this in:
A2,B2,C2,D2,E2,F2,12,22,32,42,52,62,72,82,92,02,A6,B6,C6,D6,E6,F6,16,26,36,46,56,66,76,86,96,06,AA,BA,CA,DA,EA,FA,1A,2A,3A,4A,5A,6A,7A,8A,9A,0A,AE,BE,CE,DE,EE,FE,1E,2E,3E,4E,5E,6E,7E,8E,9E,0ENothing with one of these privatized MAC addresses will get a DHCP address. ""
-
@neuf_16 mmh, that did work for me on 24.11 for blocking one of my clients by adding 'a2,b2,c2,d2,bc' (bc being the start of the clients MAC).
You see clients with MAC in the deny list given out leases on the interface?
-
@patient0 Yes. Specifically, it was a mac with 6A in the first octet.
-
@neuf_16 I set the deny list to the list you posted and spoofed a MAC of a linux client to start with '6A'. It didn't get a DHCP lease.
If I do set a static mapping then it get's the assigned IP, no mather if the 6A was in the deny list.
Checking the pfSense logs I see DHCP request from that MAC and I do see them getting denied (if no static mapping exist).
What do you see in Status / System Logs / DHCP for that client?
-
@patient0 yeah I would assume that a static mapping would override any deny, same goes if there is an existing lease already I would think.
