How to deny or block Mac Address access internet?

  • Hi All,

    i am a new pfsense user, i have a question , i want to deny a client access the internet, i know i can use firewall rules to do this, but the rules just allow use ip address , although i have the client  ip address , but they always change the  ip, what can i do ?? can i use mac address to blocking??

    please helpful, thank so much~

  • Give a static ip to certain mac address and block that ip-address

  • @Metu69salemi:

    Give a static ip to certain mac address and block that ip-address

    I have setup a dhcp reservation on the router for the same purpose. Both these methods have a drawback though, it is that if the user has admin rights on his computer he can assign the computer another static ip and bypass the blocked ip.

    For this reason it would be great to be able to block computers based on MAC addresses as well. Although MAC addresses can be spoofed, it is somewhat harder than simply assigning another ip…
    Is this possible with pfsense ? or is there an additional package ?

  • Try an extra protection with static arp entries.

    This way only a spoofed mac + spoofed ip will skip rules

  • @marcelloc:

    Try an extra protection with static arp entries.

    Looking at the DHCP Server configuration page, the check-box next to "Enable Static ARP entries" warns "Note: Only the machines listed below will be able to communicate with the firewall on this NIC."  This implies to me that you'd have to manually list every client you wanted to allow, rather than just the MAC addresses of those you wanted to deny.  Is this correct?


  • Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

    It's look very clear to me, but you cant test on a virtual machine to see what happens.

  • Never mind.  Sorry I asked.  I should know better, by now.

  • I seem to have run into the same conundrum.

    I have a pfsense box as my gateway, and I have a couple hosts that I want to block using a scheduled firewall rule. They will be used by tech savy persons, so I do expect some fiddling and static ip changes to the machines. I would like to use DHCP Reservations with static arp tables, but I need to have the convenience of the DHCP server to allow new wireless clients to come and go. I can't manually enter everything anytime a new laptop opens up and connects.

    Are there any thoughts as to how this setup can be modified to interact with my hosts in the way that I have specified?

  • If you have tech savvy users, they will just spoof their mac address.
    FreeBSD does have MAC filtering in the wireless stack, but for the reason above it is not implemented in the pfSense GUI and that would only help if the firewall was acting as the AP. IPFW, used by the captive portal, can block by MAC, so there might be some way to enable CP and block MACs via a command-line hack, but you wouldn't be able to schedule it.

  • Yep, those were my thoughts too.

    I can't think of a way to impose limits to "tech savvy users" on an open Wifi network, other than going all the way to 802.1X/WPA-EAP.

    On a wired network it is doable, assuming the right equipment (managed switches with DHCP snooping etc).

  • I'm not using pfsense to manage wireless clients, I have a dd-wrt ap that is doing that for me. I had the thought of picking up a managed switched. Perhaps that is my best go-to. As for arp spoofing I'm not working with people that technical. In fact I'd be impressed if they managed to pull that off and probably give them a better grade. Thanks for your help. If there are any other thoughts or ideas please feel free to share I'm all about 'the learning'!

Log in to reply