• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to deny or block Mac Address access internet?

Scheduled Pinned Locked Moved Firewalling
11 Posts 8 Posters 67.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kouevenwang
    last edited by Sep 17, 2011, 9:32 AM

    Hi All,

    i am a new pfsense user, i have a question , i want to deny a client access the internet, i know i can use firewall rules to do this, but the rules just allow use ip address , although i have the client  ip address , but they always change the  ip, what can i do ?? can i use mac address to blocking??

    please helpful, thank so much~

    1 Reply Last reply Reply Quote 0
    • M
      Metu69salemi
      last edited by Sep 17, 2011, 10:17 AM

      Give a static ip to certain mac address and block that ip-address

      1 Reply Last reply Reply Quote 0
      • R
        remd
        last edited by Jan 1, 2012, 5:36 PM

        @Metu69salemi:

        Give a static ip to certain mac address and block that ip-address

        I have setup a dhcp reservation on the router for the same purpose. Both these methods have a drawback though, it is that if the user has admin rights on his computer he can assign the computer another static ip and bypass the blocked ip.

        For this reason it would be great to be able to block computers based on MAC addresses as well. Although MAC addresses can be spoofed, it is somewhat harder than simply assigning another ip…
        Is this possible with pfsense ? or is there an additional package ?

        1 Reply Last reply Reply Quote 0
        • M
          marcelloc
          last edited by Jan 2, 2012, 2:41 AM

          Try an extra protection with static arp entries.

          This way only a spoofed mac + spoofed ip will skip rules

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • S
            SEMIJim
            last edited by Jan 3, 2012, 3:12 PM

            @marcelloc:

            Try an extra protection with static arp entries.

            Looking at the DHCP Server configuration page, the check-box next to "Enable Static ARP entries" warns "Note: Only the machines listed below will be able to communicate with the firewall on this NIC."  This implies to me that you'd have to manually list every client you wanted to allow, rather than just the MAC addresses of those you wanted to deny.  Is this correct?

            Thanks,
            Jim

            1 Reply Last reply Reply Quote 0
            • M
              marcelloc
              last edited by Jan 3, 2012, 3:45 PM

              Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

              It's look very clear to me, but you cant test on a virtual machine to see what happens.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • S
                SEMIJim
                last edited by Jan 3, 2012, 6:25 PM

                Never mind.  Sorry I asked.  I should know better, by now.

                1 Reply Last reply Reply Quote 0
                • T
                  t0rpedo
                  last edited by Jan 5, 2012, 10:20 PM

                  I seem to have run into the same conundrum.

                  I have a pfsense box as my gateway, and I have a couple hosts that I want to block using a scheduled firewall rule. They will be used by tech savy persons, so I do expect some fiddling and static ip changes to the machines. I would like to use DHCP Reservations with static arp tables, but I need to have the convenience of the DHCP server to allow new wireless clients to come and go. I can't manually enter everything anytime a new laptop opens up and connects.

                  Are there any thoughts as to how this setup can be modified to interact with my hosts in the way that I have specified?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dotdash
                    last edited by Jan 5, 2012, 10:34 PM

                    If you have tech savvy users, they will just spoof their mac address.
                    FreeBSD does have MAC filtering in the wireless stack, but for the reason above it is not implemented in the pfSense GUI and that would only help if the firewall was acting as the AP. IPFW, used by the captive portal, can block by MAC, so there might be some way to enable CP and block MACs via a command-line hack, but you wouldn't be able to schedule it.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by Jan 5, 2012, 10:41 PM

                      Yep, those were my thoughts too.

                      I can't think of a way to impose limits to "tech savvy users" on an open Wifi network, other than going all the way to 802.1X/WPA-EAP.

                      On a wired network it is doable, assuming the right equipment (managed switches with DHCP snooping etc).

                      1 Reply Last reply Reply Quote 0
                      • T
                        t0rpedo
                        last edited by Jan 5, 2012, 10:50 PM

                        I'm not using pfsense to manage wireless clients, I have a dd-wrt ap that is doing that for me. I had the thought of picking up a managed switched. Perhaps that is my best go-to. As for arp spoofing I'm not working with people that technical. In fact I'd be impressed if they managed to pull that off and probably give them a better grade. Thanks for your help. If there are any other thoughts or ideas please feel free to share I'm all about 'the learning'!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received