Firewall- Blocking mac address ranges

  • Hi All:
    I'm new to PFSENSE.
    I need to block ranges of MAC addresses to restrict devices by manufacturer.
    I figured that would be the simplest way for preventing iPhones and other cellphones from swamping the network.

    I read that you can block an individual MAC address  in PF Sense in the forums and I can find that on the webmin interface for pfsense

    Is it possible to block MAC's by ranges:  eg:  00-1B-CB-??-??-??  I don't seem to be able to locate anything on that.

    Thanks for your input.

  • This is not possible.
    I think you missunderstand what a MAC address is.
    MAC addresses are only "visible" within a broadcast domain (not even that if a bridge is in between).
    You cannot "firewall" MAC addresses.

    What you can do is: write a static ARP-table.
    With this you don't "block ranges". You block everything.
    You then have to add all the MAC addresses you want to allow to communicate with the pfSense.

  • If you are trying to block devices from accessing the router on the local side of your network (for example, to a wireless connection), it is actually possible to block them, but not with the options currently exposed in the pfSense web GUI.  Wireless connections could prevent certain MAC addresses from connecting and ipfw can firewall things by MAC address, as far as I know.  Of course, the latter only prevents communication with the router, not communication with other computers on the network.  Both of these options could possibly be included at some time, if someone decides to implement them.

  • As I understand it, an ip address is assigned to a mac address when a dhcp broadcast request goes out. Since mac addresses are composed of a "vendor code" it follows that an individual interface address devices like iphones can be identified by its vendor code.

    What I was hoping for was a method of blocking either
    1. blocking the assignment of addresses based on certan vendor codes or
    2. blocking internet access to mac addresses with certain vendor prefixes.
    3. Or having mac addresses assigned to ip ranges by vendor codes,  then blocking internet access to for ip's in those ranges.

    That way I could prevent iphones and other cell phones from accessing the wireless network and saturating the hotspot.

    I understand this may not be possible with the pfsense software,  but I was just asking if there is any way to actually do it.

  • I don't know offhand if pfSense can do this (certainly there's not a way in the GUI), but recent versions of the ISC DHCP server can.

    Here's an example of something similar (assigning different IP ranges based on whether the requesting device is a Polycom phone or not):

    class "polycom" {
      match if substring (binary-to-ascii (16, 8, ":", hardware), 2, 6) = "0:4:f2";
    shared-network internal {
      subnet netmask {
        # Polycom Phones
        pool {
          allow members of "polycom";
        # Everyone else
        pool {
          deny members of "polycom";

  • I think what you're looking for is more likely to be found in a layer 2 device, like a switch or wireless access point. Certainly the latter commonly support MAC ACLs, although I don't think I've seen one that supports wildcard entries. I'm not really familiar with port authentication schemes, but wouldn't something like that handle what you're trying to do.

    Otherwise, static arp tables will do what you want, but require whitelisting, so if you're talking about a public hotspot then that will not work. Finally, pfsense's firewall rules can filter TCP by OS, but it doesn't include anything that looks specific to smartphones, such as "android", "iOS", "symbian" or "maemo". The options are much more predictable, including Windows, Mac, and Linux.

  • while keeping on topic in a way, is there a way to "auto" block DHCP addresses that are not statically assigned by the DHCP server? or conversly "auto" allow DHCP addresses that have been assigned?

    For example:
    LAN = DHCP Server statically assigns IP by MAC. All foreign MAC are assigned IP from the DHCP range and forced to go through the captive portal on the WAN.
    DMZ = servers/etc…

    I would like to have a rule on the source tab that allows all DHCP assigned IP's on the LAN side to pass through to the DMZ, everyone else (which would not be statically assigned an IP by MAC) would be denied to the DMZ.

    If this deserves a separate topic I can start one, but I figured it is in a way related to the OP.