Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Protect MAC adress from stealing and using

    Scheduled Pinned Locked Moved Hardware
    4 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ingux
      last edited by

      Hi all !
      I am new in pfSense, and that i gonna ask help please.
      Is there any way to protect pfSense from mac address change , e.c. i wannt if LAN client with static ip change their NIC card MAC address , then internet connection will be disconnected.
      In microtik this is simple only just one click in static ARP and thats all.
      but in google i dint't find any working solution.
      That i need because i have approx 200clients ,and they traffic bandwitch  are from 5 Mbits to 50 Mbits . And using programms like netcut and mac address changer, they steal ip adress , e.c make a clone , and finely using real client mac address

      1 Reply Last reply Reply Quote 0
      • M
        matguy
        last edited by

        @ingux:

        Hi all !
        I am new in pfSense, and that i gonna ask help please.
        Is there any way to protect pfSense from mac address change , e.c. i wannt if LAN client with static ip change their NIC card MAC address , then internet connection will be disconnected.
        In microtik this is simple only just one click in static ARP and thats all.
        but in google i dint't find any working solution.
        That i need because i have approx 200clients ,and they traffic bandwitch  are from 5 Mbits to 50 Mbits . And using programms like netcut and mac address changer, they steal ip adress , e.c make a clone , and finely using real client mac address

        Sounds like students…  I don't think there's a way to stop people from spoofing a MAC and IP address on a machine they otherwise own/administer.  I think a captive portal may lock them in to usename/password association, which should be able to manage your bandwidth, but I would imagine that someone might still be able to harvest MACs and IPs for later spoofing of previously authenticated machines.

        I don't know the featured of pfSense that well, but I would think that it'd take an app on their machine that's tied to some kind of serial number or account managed by the router/manager server that uses a heartbeat to maintain the connection.  They could still spoof the MAC and IP, but it'd only work till the next heartbeat that doesn't check in, like 15 minutes or so.  I'm sure there's multiple applications/services/solutions that do this, I know Cisco Clean Access does, among other things, but I don't know any free ones.

        1 Reply Last reply Reply Quote 0
        • S
          SeventhSon
          last edited by

          There is an option for static arp under the DHCP Server settings

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            On better switches and Wireless APs there is an option like "AP isolation" or something like "Private VLAN". This allows the port only to communicate with its gateway but with no other clients on the same switch/AP. This will prevent that someone is spoofing someone else MAC address and do man-in-the-middle attacks. So they cannot use someone else MAC addres and use their bandwidth/traffic.

            Then - as SeventhSon said - enable static ARP on the DHCP server.

            Another possibility could be to use the pfSense Caprive Portal + freeradius2 package and then setup bandwidth and traffic volume for each user individually. Then it is dependent on the username/password - so people can user their laptop or smartphone or ipad and all counts on the same user.
            http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.