MAC Filtering on WIFI : Possible or Not ?

papou · Sep 16, 2011, 1:33 PM

Hello,

First of all my understanding of MAC Filtering on WIFI is to avoid any connection on your AP not explicitly allowed. Am i right ?

So I try on my 2.0RC3 to have mac filtering :
My config is simple LAN (192.1680.1) is a bridge of WIREDLAN (192.168.2.1) & WIFILAN (AP Mode) (192.168.3.1)
DHCP is on LAN

For MAC filtering, as i read : You need to use captive portal services with MAC filtering on an interface
But as you cannot make it run on an interface part of a Bridge, my only solution is to do it on LAN interface ( A bridge)
But if i do that, i cannot avoid a computer to connect to my WIFI (OK it will not be abble to go on WAN, he will have limited access bla, bla bla), but it will be connected ! >:( )

I also read : Use DHCP,
Yes it can work but how to avoid the WIFI computer to set static IP-address to my network ?

So am i totally wrong, or is there no way to have Pfsense act like my router on dd-wrt doing Mac Filtering ? ???

Thanks

Papou

wallabybob · Sep 16, 2011, 1:57 PM

@papou:

So am i totally wrong, or is there no way to have Pfsense act like my router on dd-wrt doing Mac Filtering ? ???

Since I have no experience of dd-wrt and I don't know what aspect of its mac filtering behaviour you are wanting to emulate, its pretty hard to answer your question.

Unfortunately I didn't understand most of your other questions. Perhaps if you explained what problem you are trying to solve some of the readers might be able to offer suggestions.

papou · Sep 16, 2011, 2:18 PM

Sorry, to be not clear… :-\

In fact i just want to avoid any one to connect to my network by WIFI except MAC i have allowed. It is my comprehension of WIFI MAC Filtering : My AP must refuse the unknown MAC.

Using Captive Portal seems not to be the solution in my case, because with Captive activated, a computer not in Pass-Through MAC can connect to my LAN by WIFI. (Effectively he will have maybe restricted access depending the authentification, with a login prompt...), but he will be connected and see the other hosts
I really can't see any way have something like : If not in a MAC List then No connection to AP

wallabybob · Sep 16, 2011, 2:53 PM

@papou:

Using Captive Portal seems not to be the solution in my case, because with Captive activated, a computer not in Pass-Through MAC can connect to my LAN by WIFI.

Its not always easy to get the details on how things work. My observation, after using captive portal on a WiFi interface for some months, is that traffic received on a captive portal interface doesn't get past the captive portal interface UNLESS its in one of the pass through lists or is from an authenticated system. BUT I haven't used the captive portal on a bridged interface so I can't comment on whether bridging happens BEFORE captive portal or AFTER.

Do you need to bridge WiFi and LAN? (The configuration information you posted suggests you haven't bridged WiFi and LAN.)

papou · Sep 16, 2011, 3:22 PM

Yes in fact i have Bridging

My configuration :

WAN (re0) : Static IP 192.168.1.1 no DHCP
WIFILAN (run0) : static IP 192.168.3.1 no DHCP
WIREDLAN (sis0) : static IP 192.168.2.1 no DHCP
LAN BRIDGE0 (WIRELAN + WIFILAN) : Static IP 192.168.0.1
DHCP on LAN Range 192.168.0.31 to 192.168.0.254 and Static IP address assign to MAC for 192.168.0.2 to 192.168.0.30 (with some hole)

I did the bridging to have all my devices (WIFI or WIRED) with the same range of IP : 192.168.0.x (perhaps it is stupid to do a bridging for that ?)

wallabybob · Sep 16, 2011, 10:11 PM

Bridge members shouldn't have an IP address - the bridge device itself has the IP address.

Why not try Captive Portal without bridging the WiFi and LAN interfaces?

papou · Sep 17, 2011, 6:55 AM

@wallabybob:

Bridge members shouldn't have an IP address - the bridge device itself has the IP address.

Why not try Captive Portal without bridging the WiFi and LAN interfaces?

Thanks Wallabybob, ;)
I will try this, i did this bridge at the begining to simplify the FW rules
Have a nice WE ;D !

papou · Sep 17, 2011, 10:23 AM

I look around my config (i remember to have seen something for mac filtering in a conf file) and I found in /var/etc/hostapd_run0_wlan0.conf

#accept_mac_file=/tmp/hostapd_run0_wlan0.accept
#deny_mac_file=/tmp/hostapd_run0_wlan0.deny

I think that if i uncomment the accept_mac_file it will work as i want.(aftrer of course adding trustedMAC in a file) Am i wrong ? ???
If not can it be possible to add this functionality to future Pfsense version ? (because for me it is clearly a security hole. Avoiding unknown MAC to connect is clearly complicating the Hacker tasks…). And this functionality is available on all Home routers and it is surprising not to find it on a so powerfull software ;)

wallabybob · Sep 17, 2011, 11:17 AM

pfSense pretty much needs to be configured through the web GUI rather than application configuration files because the application configuration files are generally regenerated on startup from the stored GUI configuration file.

@papou:

Avoiding unknown MAC to connect is clearly complicating the Hacker tasks…). And this functionality is available on all Home routers and it is surprising not to find it on a so powerfull software ;)

If I understand your requirements correctly, one way you can get what you want is to enable captive portal on your WiFi interface, provide a captive portal page with no option for the user to provide authentication information (the empty default one may do or you might want to add something more informative) and add the "authorised" MAC addresses to Services -> Captive Portal, Pass-through MAC tab.

papou · Sep 17, 2011, 11:39 AM

@wallabybob:

pfSense pretty much needs to be configured through the web GUI rather than application configuration files because the application configuration files are generally regenerated on startup from the stored GUI configuration file.

I understand the problem.

@papou:

Avoiding unknown MAC to connect is clearly complicating the Hacker tasks…). And this functionality is available on all Home routers and it is surprising not to find it on a so powerfull software ;)

If I understand your requirements correctly, one way you can get what you want is to enable captive portal on your WiFi interface, provide a captive portal page with no option for the user to provide authentication information (the empty default one may do or you might want to add something more informative) and add the "authorised" MAC addresses to Services -> Captive Portal, Pass-through MAC tab.

I clearly will try that, unbridging and use Captive Portal

Thx wallabybob ! :D

Ronoc · Sep 23, 2011, 1:33 PM

I have a similar setup except I have the MAC filtering done on my AP. (First Gen Airport Extreme N) This way clients do not touch my network, the AP refuses the connection.

papou · Sep 23, 2011, 1:38 PM

Thx Ronoc, i think it could be great to integrate this functionality in Pfsense… At the wifi interface level (two combo box to chose accept ro deny list) and a list of mac adresse (like in DHCP for expemple). ;)

mastablastaz · Oct 3, 2011, 10:37 AM

just plug in your wifi ap as a switch on your pfsense and enable dhcp on that port + mac filtering

kapara · Oct 10, 2011, 12:53 AM

Do you have a specific reason for wanting to keep both on the same range? If dhcp is rnabled on the wireless interface you can do Mac filtering on that interface. Maybe I do not understand….

dotdash · Oct 10, 2011, 4:07 PM

FreeBSD supports MAC filtering on wireless interfaces. See the ifconfig manpage:
The following parameters support an optional access control list feature
available with some adapters when operating in ap mode; see wlan_acl(4).
This facility allows an access point to accept/deny association requests
based on the MAC address of the station. Note that this feature does not
significantly enhance security as MAC address spoofing is easy to do.
Due to the fact that most agree on the last sentence quoted above, there has been little interest in putting the feature in the GUI. If you would like the feature implemented, you could try a bounty.

papou · Oct 10, 2011, 5:42 PM

@dotdash:

FreeBSD supports MAC filtering on wireless interfaces. See the ifconfig manpage:
The following parameters support an optional access control list feature
available with some adapters when operating in ap mode; see wlan_acl(4).
This facility allows an access point to accept/deny association requests
based on the MAC address of the station. Note that this feature does not
significantly enhance security as MAC address spoofing is easy to do.
Due to the fact that most agree on the last sentence quoted above, there has been little interest in putting the feature in the GUI. If you would like the feature implemented, you could try a bounty.

Thanks for you answer. I will to eat my bounty by myself and do not hesitate to correct me if i am wrong in my solution bellow :)
1/ editing the /etc/inc/inferfaces.inc and replace the #accept_mac_file line by : accept_mac_file=/conf/hostapd.mac.accept
2/ create a file in /conf/hostapd.mac.accept with all your MAC address (one MAC address per line)
3/ disable and then enable your WIFI Interface
4/Enjoy ! ;)