Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking by MAC address

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    6 Posts 5 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sun-sense
      last edited by

      I'm on the latest Beta snapshot.

      Is it possible to block by MAC address.

      Example.

      So I set up my DHCP server with ALL the MAC addresses in the building so it gives an IP to my known machines.  I select  'Deny Unknown clients'.

      Fine and dandy…but...

      Anyone bringing in an  'unknown'  notebook after failing to get a DHCP address can switch to static, put in, a hopefully, unused IP address, GW & DNS and get a connection.

      So how do I block  'unknown'  MAC addresses from getting anywhere.  Or for that matter, block an IP that hasn't been assigned by the DHCP server.  This way sounds more complicated as you would have to have pfsense look at the issued DHCP IP addresses.

      Perhaps I've missed this, but any clues to solving this would be appreciated.

      m1n1wall - ALIX.2D3 System Board with 500 MHz AMD Geode LX800 CPU 3 10/100 Ethernet ports (VIA VT6105M 10/100)
      1 miniPCI slot for future expansion (VPN Acceleration, wireless, etc.) 2 USB ports 256 MB DDR DRAM

      1 Reply Last reply Reply Quote 0
      • B
        beppo
        last edited by

        I guess you have to check "enable static arp" in  the dhcp server page.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Hi,

          I don't know a possibility to prevent someone to enter a static IP and then join the network only by using the options offered in the DHCP tab.

          You could try captive portal: Enter all MAC adresses you want in "MAC passthrough". Any other Hosts/MAC Adresses will be forwarded to the captive portal page. As far as I know this is the only "mac filter option".

          1 Reply Last reply Reply Quote 0
          • B
            beppo
            last edited by

            Enable Static ARP entries
              Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

            This should do it, or am I wrong?

            1 Reply Last reply Reply Quote 0
            • K
              kextyn
              last edited by

              You could use a captive portal to allow certain MAC addresses.  This still doesn't solve the security issue you're worried about though.  If someone is able to gain physical access to your network they can sniff traffic and use a MAC address that does have access.  I'm not sure what kind of infrastructure you have but in a business setting you'd typically restrict physical access to the network hardware and use some type of port security.  If you're not worried about someone spoofing MACs then the captive portal could work.

              1 Reply Last reply Reply Quote 0
              • T
                trunglam
                last edited by

                You can assign IP by Mac address and in DHCP server only allow available range for 1 IP address and block this IP on firewall rule. That the way I use to manage IP by Mac address.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.