What is the best way to block traffic from an specific MAC Address ?



  • Hi guys, i think the subject summarizes all, i need to know what is the best way (or a good way) to block any traffic from an specific MAC Address on the LAN side.

    Sometime ago i found a method that consisted of using a rule with IPFW and works fine in a previus version of PFSense but not in the final version 2.1.4.

    I also found that i can use MAC filtering on the DHCP, but with some hundreds macs to block is hard to add one by one and maintain the list.

    Any suggestions?

    Thanks.



  • Usually your clients either have a static IP or DHCP with reservations or static mappings, and then you block based on those.  If you don't mine me asking, what is the scenario that you are looking at?


  • Rebel Alliance Global Moderator

    "but with some hundreds macs to block"

    Yeah I have to ask as well - what are you trying to do?  Why would you need to block by mac in the first place.  Without much info to go on, I would think your using the wrong method of limiting access with macs.

    What were you doing in previous versions of pfsense with IPFW that allowed you to block macs?


  • Moderator

    On another note: Snort has the Arpspoof pre-processor. I don't think that it is implemented in the GUI, but might be configured by adding the configuration to the "Pass-through" box in Snort's interface setup.

    http://manual.snort.org/node151.html

    http://www.sans.org/reading-room/whitepapers/threats/address-resolution-protocol-spoofing-man-in-the-middle-attacks-474



  • Hi guys, here is a little more explanation of the situation.

    On a Campus, I need to implement a WIFI network to give access to just visitors users, but restrict any access of local users, from which i know their mac addresses. The local users should use another different and dedicated WIFI.

    The visitors users got their IP dynamically from the DHCP.

    Using this command (e.g. ipfw add 65308 deny ip from any to any MAC 00:FF:00:FF:00:FF,ipfw add 65308 deny ip from any to any MAC any 00:FF:00:FF:00:FF) is possible to deny all traffic from an specific device. And with just an script is very easy to deny a large amount of them.

    I have to admit it, I'm not totally happy of this design, specially because it create a large Layer2 network when the visitors users grow, but… it works.


  • Moderator

    Why don't you use the MAC filtering on your access points?



  • @BBcan177:

    Why don't you use the MAC filtering on your access points?

    Mainly for simplicity. There are severals AP, with no cetralized way of blocking a mac and besides its easier to make scripts or operations on the server side.


  • Rebel Alliance Global Moderator

    Why would you not just create vlan for guest via different SSID, and then limit that to internet.  And have your local users use different SSID on vlan that has local access and internet.

    What APs are you using?  Do they not support vlans?

    Are you saying you don't want local users to be able to access this guest wifi network?  Do you control these devices - its a simple setup on windows to restrict access to specific SSID, can be handed out via group policy.

    Why would local users want to use the guest wifi vs their normal wifi?  Is the guest wifi unfiltered or something?  And their normal access is filtered  - so you don't care if they access the guest wifi with their phones and other device that you don't know the macs of?



  • You could only allow DHCP from users you had the MAC address of… and then use static mappings for their hostname… and the only allow that hostname/IP through the firewall.

    But the only way to really filter out MACs, is to use MAC security on your WAP's. MAC addresses are part of Layer 2 infrastructure, and your PF Box is mainly a layer 3 device.

    If you have that many WAP's in deployment, you should use a model that has centralized management so you can update policies as needed. If they have some sort of SNMP write or SSH access, you could script what you need done and add/remove MACs from the filters as needed.



  • @johnpoz:

    Do you control these devices - its a simple setup on windows to restrict access to specific SSID, can be handed out via group policy.

    You're a genius ¡¡¡ ;) …  Why didn't i think of this before?, this is something i can actually do.

    Thanks to all of you.


  • Rebel Alliance Global Moderator

    hehehehe - let us know how it works out!  There are always many ways to skin the cat.  Understanding the actual desired goal is quite often the battle that needs to be fought vs just blindly answering the question.

    Mac filtering would rarely be the best solution to any problem ;)

    So if understanding your issue correctly.. You have a guest wifi network, which for whatever reason you don't want your normal user devices from accessing - I have to guess because of internet filtering?  Is that correct?

    Blacklisting ssids in windows machines that are members of a domain is quite simple - let me know if you need any help with that method.



  • Done!!!… it worked.

    And yes, different SSID have different policies, in fact different infrastructure, the only thing they both share are the APs.