Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is the best way to block traffic from an specific MAC Address ?

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fpelaezt
      last edited by

      Hi guys, i think the subject summarizes all, i need to know what is the best way (or a good way) to block any traffic from an specific MAC Address on the LAN side.

      Sometime ago i found a method that consisted of using a rule with IPFW and works fine in a previus version of PFSense but not in the final version 2.1.4.

      I also found that i can use MAC filtering on the DHCP, but with some hundreds macs to block is hard to add one by one and maintain the list.

      Any suggestions?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Usually your clients either have a static IP or DHCP with reservations or static mappings, and then you block based on those.  If you don't mine me asking, what is the scenario that you are looking at?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "but with some hundreds macs to block"

          Yeah I have to ask as well - what are you trying to do?  Why would you need to block by mac in the first place.  Without much info to go on, I would think your using the wrong method of limiting access with macs.

          What were you doing in previous versions of pfsense with IPFW that allowed you to block macs?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            On another note: Snort has the Arpspoof pre-processor. I don't think that it is implemented in the GUI, but might be configured by adding the configuration to the "Pass-through" box in Snort's interface setup.

            http://manual.snort.org/node151.html

            http://www.sans.org/reading-room/whitepapers/threats/address-resolution-protocol-spoofing-man-in-the-middle-attacks-474

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • F
              fpelaezt
              last edited by

              Hi guys, here is a little more explanation of the situation.

              On a Campus, I need to implement a WIFI network to give access to just visitors users, but restrict any access of local users, from which i know their mac addresses. The local users should use another different and dedicated WIFI.

              The visitors users got their IP dynamically from the DHCP.

              Using this command (e.g. ipfw add 65308 deny ip from any to any MAC 00:FF:00:FF:00:FF,ipfw add 65308 deny ip from any to any MAC any 00:FF:00:FF:00:FF) is possible to deny all traffic from an specific device. And with just an script is very easy to deny a large amount of them.

              I have to admit it, I'm not totally happy of this design, specially because it create a large Layer2 network when the visitors users grow, but… it works.

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                Why don't you use the MAC filtering on your access points?

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • F
                  fpelaezt
                  last edited by

                  @BBcan177:

                  Why don't you use the MAC filtering on your access points?

                  Mainly for simplicity. There are severals AP, with no cetralized way of blocking a mac and besides its easier to make scripts or operations on the server side.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Why would you not just create vlan for guest via different SSID, and then limit that to internet.  And have your local users use different SSID on vlan that has local access and internet.

                    What APs are you using?  Do they not support vlans?

                    Are you saying you don't want local users to be able to access this guest wifi network?  Do you control these devices - its a simple setup on windows to restrict access to specific SSID, can be handed out via group policy.

                    Why would local users want to use the guest wifi vs their normal wifi?  Is the guest wifi unfiltered or something?  And their normal access is filtered  - so you don't care if they access the guest wifi with their phones and other device that you don't know the macs of?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M
                      MikeX
                      last edited by

                      You could only allow DHCP from users you had the MAC address of… and then use static mappings for their hostname… and the only allow that hostname/IP through the firewall.

                      But the only way to really filter out MACs, is to use MAC security on your WAP's. MAC addresses are part of Layer 2 infrastructure, and your PF Box is mainly a layer 3 device.

                      If you have that many WAP's in deployment, you should use a model that has centralized management so you can update policies as needed. If they have some sort of SNMP write or SSH access, you could script what you need done and add/remove MACs from the filters as needed.

                      1 Reply Last reply Reply Quote 0
                      • F
                        fpelaezt
                        last edited by

                        @johnpoz:

                        Do you control these devices - its a simple setup on windows to restrict access to specific SSID, can be handed out via group policy.

                        You're a genius ¡¡¡ ;) …  Why didn't i think of this before?, this is something i can actually do.

                        Thanks to all of you.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          hehehehe - let us know how it works out!  There are always many ways to skin the cat.  Understanding the actual desired goal is quite often the battle that needs to be fought vs just blindly answering the question.

                          Mac filtering would rarely be the best solution to any problem ;)

                          So if understanding your issue correctly.. You have a guest wifi network, which for whatever reason you don't want your normal user devices from accessing - I have to guess because of internet filtering?  Is that correct?

                          Blacklisting ssids in windows machines that are members of a domain is quite simple - let me know if you need any help with that method.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • F
                            fpelaezt
                            last edited by

                            Done!!!… it worked.

                            And yes, different SSID have different policies, in fact different infrastructure, the only thing they both share are the APs.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.