MAC Address Blacklist?



  • Is there a way to black list MAC Addresses so that traffic from specific MACs would  not be passed.  I would prefer this to work on the firewall level, but if that is not possible I would settle for a solution that worked on the DHCP level.

    The only thing I could find was an option to use a DHCP whitelist, but this will not work in my environment.  I searched the forum and could not find a solution.

    Thanks in advance!



  • Two things to keep in mind

    • Default deny is always much more secure than a default allow and then blocking the things you think to be bad

    • It is trivial to change the MAC address of a computer



  • I know that setting the default behavior to deny is of course the most secure, but in my situation this is on a public network.  So that is not an option for me.  I am also aware that MAC addresses can be changed, but do you know a better alternative if you need to block a specific machine?  Most end users are not even going to no what a MAC address is.

    I guess one could set us a DHCP reservation for the machine to be blocked and then block that ip in the firewall.  But that seems very "clunky" to me.

    Does anyone have any ideas?



  • There is a firewall included in pfSense that can block at the MAC address level (used for the captive portal), but there is not currently any interface exposed in the web GUI to make use of it in this way.  It is definitely possible to do this without any additional software programs needed in the base system; someone just needs to code an interface for configuring that part of the firewall.  Same thing with blocking association by MAC on a wireless access point configured in pfSense; it just needs an interface for configuring it.



  • I guess that for now I could just do this from the command line.  Is this correct?  I guess I need to read up on pf.



  • Sounds like pfsense needs a new package… :)



  • The firewall program I was referring to is ipfw, not pf.  It is the one used for the captive portal.



  • Is there a command that could be run from the execute command in the web gui that would allow one to set up rules to dissallow a mac address? also to delete or see what is setup.



  • I guess one could set us a DHCP reservation for the machine to be blocked and then block that ip in the firewall.  But that seems very "clunky" to me.

    I don't see anything "clunky" about this…  I use it on my kids all the time.  You can always try it and see if the problem goes away or morphs to a different mac...



  • Is this to stop the machines from being on the network period, or accessing the internet? If accessing the internet, captive portal offers a lot of options, look up vouchers. If from accessing the network, then I can only suggest a rotating wireless key (weekly/monthly) that is posted on some sort of trusted intratnet/bulletin board to be given out from an employee to customer. If they have access to an ethernet jack and are determined, google will get them in.

    @hankjrfan00:

    Is there a way to black list MAC Addresses so that traffic from specific MACs would  not be passed.  I would prefer this to work on the firewall level, but if that is not possible I would settle for a solution that worked on the DHCP level.

    The only thing I could find was an option to use a DHCP whitelist, but this will not work in my environment.  I searched the forum and could not find a solution.

    Thanks in advance!


Log in to reply