How to block mac address?

xbipin · Aug 17, 2011, 2:40 PM

usually commercial routers have a a mac address block feature where u can simply restrict mac address from accessing anything.

i can use static arp entries but then i would need to add all the mac ids to the list to which i want to provide access in order to just block a few of them, firewall rules can be sued but that then depends on ip address which can easily be changed by the client.

Metu69salemi · Aug 17, 2011, 3:34 PM

You can block only if it passes through firewall, same as commercial routers

make some space high or low end of your dhcp pool.
assign ip address to this mac outside of pool
allow access every client except this outside pool area

xbipin · Aug 17, 2011, 3:49 PM

what if the client manually specifies his ip address instead of following the dhcp assigned.

i have read older posts regarding the same topic but there seems no easy way of simply putting the mac ids in a list similar to how its available in routers so would that be possible if a bounty was posted?

Nachtfalke · Aug 17, 2011, 4:00 PM

The only way to MAC filter is - as far as I know - the captive portal.
You could add there all MACs that should have access. The other get redirected to the captive portal page.

But you say that the clients can change their IPs…then they can change their MAC addresses, too.

xbipin · Aug 17, 2011, 4:13 PM

mac id changing is a bit tricky compared to an ip change so i doubt the client will do that, problem is the allow mac id list is huge so i cant add that to any list manually and usually clients keep adding newer devices such as phones laptops to the network, it would be easier for me to fish for the bad fishes and block them.

i wonder how they do it in routers

johnpoz · Aug 17, 2011, 9:09 PM

"mac id changing is a bit tricky compared to an ip change"

Says who? Most windows nic drivers have it built right in to change the mac (local administered address), and linux is simple ifconfig command ifconfig ethX hw ether newmac

So not sure where you got the idea that its something all that difficult to do?

xbipin · Aug 18, 2011, 5:16 AM

lets just assume they wont mess with the mac id, now is it possible to have something that filters mac ids based on a list similar to how the firewall rules work, meaning, filter traffic based on mac id before matching with firewall rules.

mikeisfly · Aug 18, 2011, 4:17 PM

You can setup a captive portal based on a username and password. There are many guides on how that is done. A captive portal will redirect everyone and once you are authenticated you won't be bothered by it anymore. Think about Wi-Fi at a hotel you stayed out. You can also add in expempt MAC for your servers and things. I think this is a better solution and you can add some terms of service that could protect you legally.

xbipin · Aug 19, 2011, 8:46 AM

im familiar with captive portal but i still prefer a simple list on adding mac ids to it would not get an ip or almost no communication with the firewall and would be simple enough for others to use also.

johnpoz · Aug 19, 2011, 12:01 PM

Ok Im am no expert for sure, but a simple google for mac filtering with ipfw, first thing I think that would have to happen is to turn on

sysctl -a | grep ether.ipfw
net.link.ether.ipfw: 0

I believe this has to be 1 to do layer 2 checks in ipfw??

I think once you set that then sure you could write your own rules. I would suggest you put in a feature request if you want the gui to be able to do it, or start posting a bounty.