Blocking by MAC address



  • I'm on the latest Beta snapshot.

    Is it possible to block by MAC address.

    Example.

    So I set up my DHCP server with ALL the MAC addresses in the building so it gives an IP to my known machines.  I select  'Deny Unknown clients'.

    Fine and dandy…but...

    Anyone bringing in an  'unknown'  notebook after failing to get a DHCP address can switch to static, put in, a hopefully, unused IP address, GW & DNS and get a connection.

    So how do I block  'unknown'  MAC addresses from getting anywhere.  Or for that matter, block an IP that hasn't been assigned by the DHCP server.  This way sounds more complicated as you would have to have pfsense look at the issued DHCP IP addresses.

    Perhaps I've missed this, but any clues to solving this would be appreciated.



  • I guess you have to check "enable static arp" in  the dhcp server page.



  • Hi,

    I don't know a possibility to prevent someone to enter a static IP and then join the network only by using the options offered in the DHCP tab.

    You could try captive portal: Enter all MAC adresses you want in "MAC passthrough". Any other Hosts/MAC Adresses will be forwarded to the captive portal page. As far as I know this is the only "mac filter option".



  • Enable Static ARP entries
      Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

    This should do it, or am I wrong?



  • You could use a captive portal to allow certain MAC addresses.  This still doesn't solve the security issue you're worried about though.  If someone is able to gain physical access to your network they can sniff traffic and use a MAC address that does have access.  I'm not sure what kind of infrastructure you have but in a business setting you'd typically restrict physical access to the network hardware and use some type of port security.  If you're not worried about someone spoofing MACs then the captive portal could work.



  • You can assign IP by Mac address and in DHCP server only allow available range for 1 IP address and block this IP on firewall rule. That the way I use to manage IP by Mac address.


Log in to reply