Block via MAC or DHCP list



  • I am trying to stop access in and out of the internet for three machines but IP isn't working - said user (a teenager that burns energy all night and sleeps all day) figured out that simply changing to another IP gets around the rule.

    I want to prevent the machines getting anything in or out regardless of IP address based on a schedule but not restrict or interfere with anything else.

    So - can I block by MAC address or is there a way to get the DHCP server to provide a 'whitelist' of IP's such that if an IP isn't listed in the DHCP 'issued' table (NOT the IP range) then no access is permitted full stop etc etc.



  • You could enabled the Captive Portal and put the IP he should use on the whitelist.
    Basically force him to use the IP he's supposed to use.



  • Thanks, I'll have a look into that, seems a complex method to achieve something as simple as blocking a MAC address but anything complex is until you've done it once …



  • Said teenager will soon figure out he can change the MAC address of his system to get around MAC address checks anyway. If you put those machines on a separate interface/subnet then you can lock that subnet down, regardless of anything else. If he has physical access to cabling, then of course all bets are off, he can remove the pfSense completely!



  • But do it anyway so he learns something :p
    You can make a maze of network-puzzles which he all has to solve to get access to internet again ^^"
    (That's kind of how i got into networks)



  • Unlike iptables on Linux, to do combined layer 2/3 firewall rules in PFsense you have to use the IPFW firewall. Within PFsense, the IPFW firewall is enabled when you turn on the captive portal. It's a hassle, but you can turn on captive portal and then create custom scripts that modify the IPFW firewall rules.

    I've done the following:

    1.) Create a "dummy" captive portal zone.
    2.) Modify the captive portal code that adds the IPFW rules to execute a custom script.
    3.) Modify the dhcp save screen to call the captive portal code in #2.
    4.) Write custom script (executed in #2) that does what I want (skips the normal captive portal rule and checks certain mac/ip combinations, etc.)

    Had to hack it a little - but it works like a champ and I can basically do whatever I want with MAC and IP combinations. Since my script also creates IPFW rules to "skip over" the normal captive portal rules - I don't actually use the PFsense captive portal functionality (never see the captive portal login, etc.).



  • Thanks - network puzzles I can set up  ;D

    I just want to keep the hassle to a minimum for me and the maximum for him.

    Looks like I need to explore some code hacks when I get time because that sound's exactly whats needed.



  • If you're comfortable at the Unix command line, it's a relatively easy task to do what I described (i.e. turn on IPFW and introduce your custom rules). Let me know if you want it and I could post some sample code and instructions…

    BTW - what I do is allow certain IP ranges to bypass the dansguardian filter. For those ranges, I make sure (using IPFW rules) that the MAC address and IP address entered on the DHCP static entry are correct (as seen by IPFW). Basically make sure no one can hijack a MAC address...



  • I am also interested in a pfSense MAC adress filter.

    Could you please post some sample code and instructions?

    Best regards



  • Sorry it took me so long to get something posted on this… See attached files (note that I have added ".txt" to all file names).

    Descriptions:

    ipfw_custom_rules.txt - A shell script that dumps rules to standard out. This script can be used to generate rules that get added to the rules saved by the captive portal. I modified /etc/inc/captiveportal.inc to execute this script and add the rules (see attached captiveportal.inc.new)

    macip_additions.conf - a list of mac/ip combinations to add as acceptable. Necessary for virtual machines and some wireless adapters that may show the same IP with more than one mac.

    checked_ranges.conf - file specifying ranges to be checked for valid mac/ip combinations (see script... can also use an alias)

    sample_output.txt - sample output of the script

    ipfw_list.txt - output of "ipfw -x "Dummy" list

    captiveportal.inc - modified captiveportal.inc. Search for "RJC" to see my mods. Note that I also modified the dhcp page to call the captiveportal_init_rules function when saving fixed IP addresses.

    ipfw_custom_rules.txt
    captiveportal.inc.new.txt
    checked_ranges.conf.txt
    sample_output.txt
    macip_additions.conf.txt
    ipfw_list.txt



  • I have a few questions when you have a chance:

    Any issues running this on 2.1.5?
    Does CP have to be enabled? If so, I take it, you just select the interface you want it enabled on?
    Have you tested this with IPv6 by chance? I recall that IPFW in 2.1.x doesn't work with IPv6



  • Works on 2.1.5… although I had to update the changes into the pfSense code that I've modified to execute my script. Really pretty minor changes, but I have to keep them up to date as versions change.

    I also made another screen change to allow you to maintain the list of additional IP/MAC combinations on the DHCP screen (see previous thread - sometimes things like wireless adapters show two MAC's - device MAC and adapter MAC). I'll try to post the updated 2.1.5 versions tonight.

    I enable the captive portal just to turn on the IPFW firewall (no other reason). I simply create a dummy portal - actually call it "dummy" - on whatever interface. The IPFW rules I add skip over the captive portal rules so the captive portal doesn't function. If you wanted, I suppose you could figure out how to add rules and leave the captive portal active.

    I have not tried it with IPv6



  • Thank you. I'll wait for the new files before giving it a try. I have a feeling it may not work for me if I have IPv6 enabled but I could just disable it for this one interface.



  • Sorry it took me a while to pull this together. The relevant files are in this zip https://dl.dropboxusercontent.com/u/55672566/MAC-IP-checking.zip



  • Thank you!



  • You're welcome… didn't have time to comment last night, but let me explain a couple of things and offer a couple suggestions.

    /usr/local/www/services_dhcp.php is a modified version of the dhcp screen. It has two changes - first it will call the captive portal re-initialize functions. These in-turn call the script to add the additional ipfw rules. This is done because I add rules to check that mac addresses are not hijacking IP's of certain ranges of fixed assignments. The second thing it does is add a section for duplicate mac/ip combinations. This is stored in a section of the config.xml and then written out to a file /usr/local/ipfw_custom_rules/macip_additions.conf that is added to the ipfw rules.

    The directory /usr/local/ipfw_custom_rules has the script "ipfw_custom_rules" that creates the rules I am adding. It reads an alias to determine the IP address range that I want to check to make sure that no one is highjacking an IP. The alias needs to be set in the config (just a normal pfSense alias). This script is called from the captive portal code.

    /etc/inc/captiveportal.inc is a modified version of the captiveportal code that adds the output of the above script to the IPFW rules. You can simply run the script (since it dumps to standard out) to see what it is adding.

    For the two modified files, you can diff them with the originals to see the changes... it's not major.