Protect MAC adress from stealing and using



  • Hi all !
    I am new in pfSense, and that i gonna ask help please.
    Is there any way to protect pfSense from mac address change , e.c. i wannt if LAN client with static ip change their NIC card MAC address , then internet connection will be disconnected.
    In microtik this is simple only just one click in static ARP and thats all.
    but in google i dint't find any working solution.
    That i need because i have approx 200clients ,and they traffic bandwitch  are from 5 Mbits to 50 Mbits . And using programms like netcut and mac address changer, they steal ip adress , e.c make a clone , and finely using real client mac address



  • @ingux:

    Hi all !
    I am new in pfSense, and that i gonna ask help please.
    Is there any way to protect pfSense from mac address change , e.c. i wannt if LAN client with static ip change their NIC card MAC address , then internet connection will be disconnected.
    In microtik this is simple only just one click in static ARP and thats all.
    but in google i dint't find any working solution.
    That i need because i have approx 200clients ,and they traffic bandwitch  are from 5 Mbits to 50 Mbits . And using programms like netcut and mac address changer, they steal ip adress , e.c make a clone , and finely using real client mac address

    Sounds like students…  I don't think there's a way to stop people from spoofing a MAC and IP address on a machine they otherwise own/administer.  I think a captive portal may lock them in to usename/password association, which should be able to manage your bandwidth, but I would imagine that someone might still be able to harvest MACs and IPs for later spoofing of previously authenticated machines.

    I don't know the featured of pfSense that well, but I would think that it'd take an app on their machine that's tied to some kind of serial number or account managed by the router/manager server that uses a heartbeat to maintain the connection.  They could still spoof the MAC and IP, but it'd only work till the next heartbeat that doesn't check in, like 15 minutes or so.  I'm sure there's multiple applications/services/solutions that do this, I know Cisco Clean Access does, among other things, but I don't know any free ones.



  • There is an option for static arp under the DHCP Server settings



  • On better switches and Wireless APs there is an option like "AP isolation" or something like "Private VLAN". This allows the port only to communicate with its gateway but with no other clients on the same switch/AP. This will prevent that someone is spoofing someone else MAC address and do man-in-the-middle attacks. So they cannot use someone else MAC addres and use their bandwidth/traffic.

    Then - as SeventhSon said - enable static ARP on the DHCP server.

    Another possibility could be to use the pfSense Caprive Portal + freeradius2 package and then setup bandwidth and traffic volume for each user individually. Then it is dependent on the username/password - so people can user their laptop or smartphone or ipad and all counts on the same user.
    http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package


Locked