[solved] issues with mac filtering

  • I am running into a bit of a headache while trying to circumnavigate the institutional wifi that I must now use.

    It makes you register a MAC Address for the device you want to connect, and will capture all traffic that doesn't come from a registered MAC.

    I'm trying to have a pfsense box join and create a network of a few systems so I can do some R&D work.

    Here's where I run into issues, I am able to join the network initially and reach the page to register devices (it is local).  I can register the MAC of pfsense and when I renew DHCP I leave the captive pool and join the actual network.  Using my laptop I cannot, however, ping anything outside the network pfsense is on (eg, I can ping the gateway listen in pfsense but nothing higher).  It can resolve DNS (which I think is also local) but all the pings timout.  I can ping anything on pfsense.

    I think it's an issue with NAT or the MAC filterting they use.  pfsense is not spoofing a mac, and NAT is set to automatic rule generation.

    Thanks for any help.

  • What's in the firewall log of pfSense? something relating to your ping attempts?

    If you startup up a ping and run a concurrent packet trace on the pfSense WAN interface do you see an outgoing ping and incoming response?

    Do you know that all your ping targets respond to pings?

  • Thanks for the reply,

    The firewall log is showing  lot of entries, but I don't think any of them are for my ping attempts.  I've attached a screenshot.

    As for packets, When I capture packets, I can see the pings go out, but I do not see the reply.

    I've been using google as a ping target, I can reach it pfsense and on my laptop when I directly join the network.

  • @akester:

    As for packets, When I capture packets, I can see the pings go out, but I do not see the reply.

    If you see the pings go out the pfSense WAN interface and nothing comes back you probably need to get help from the people who manage the institutional WiFi you are attempting to use.

  • Try to ping a public IP address like from the pfsense webGUi and make sure that pfsense has access to internet or to the network on the WAN interface.

  • I'm able to ping from pfsense, not from my computer behind pfsense

  • Did you add a firewall rule on the LAN side where yor PC is connected with allow "any to any" on top of all other rules ?

    Can you ping the WAN ip of pfsense from your client ?

  • I haven't edited the firewall, so the default LAN -> Any is still there.

    I can ping the WAN address of pfsense and the gateway listed in pfsense.

  • Strange. If you can ping www.google.de and from the pfsense's webGUI then there is a connection.
    If your pfsense is doing NAT - what it does in general - then there should be no problem connecting more clients.

    Can you take screenshots of:

    • General Setup
    • Gateways
    • Firewall
    • WAN interface
    • DHCP Server options for the clients behind pfsense

  • I'm stumped too, that's why I posted.

    I'm running 1.2.3 so I don't have the gateway tab.

    For Some reason it's not allowing me to attach all my screenshots,

    I'll attach General Setup, and WAN.

    As for the rest of WAN: Bogon Networks and Private Networks are not blocked.

    Firewall: There are no WAN rules (Could the portal need a port forwarded for something?), The only LAN Rule is the default LAN -> Any

    DHCP Server:  All the options are blank except for Range (

    Also, my NAT Setup: No Port Forward or 1:1 Rules, Outbound Rules are set to automatic.

    Let me know if you need anything else, I'll let you know if I fudge it into working too (I'm messing with it too.)


  • Hi,

    in general this looks ok.

    1.) Try to uncheck "Allow DNS serverlist to be overwritten"
    2.) Enter as DNS Server (it google's DNS)
    3.) Why are you spoofing yor MAC ? Can you use the original pfsense MAC ? Some systems recognize if the MAC according to IP has changed.

    Port forwardings are not necessary.

    What you can try is to create an allow "any to any" rule on your WAN site. Then try if you can browse the web from your client. But be careful - everyone else then can access your network. This is only for testing.

    But after that I am really out of ideas :(

  • I got it working!

    I set up DNS forwarder, and installed squid.  I'm not really sure why it works or what the underlying issue was, but this seems to be an effective workaround.

    Thanks for the help.

    EDIT: I say this, but since squid is only a web proxy, no other web service (email, ftp) works,  Is there a workaround for this?

  • Hi,

    if you are running squid in transparent mode, thean squid is only proxying http ( 80 ). If squid is running in non-transparent mode (than you have to enter the proxy ip in the web browser) is caching http, https and ftp (80,443,21). Try this.

    Further you can try with:
    Disable X-Forward: checked
    Disable VIA: checked

  • Awesome,  Works like a charm.

    Thanks again.

Log in to reply