Instead of IP address use mac address to allow internet in firewall rules

m4st3rc1p0 · Jul 27, 2014, 4:00 AM

Can this be done on PFSense instead of using the IP address to give access on the internet we use mac address on the firewall rules.

Of course i know this is possible in captive portal, but i dont want to use captive portal as i cannot set rules on client residing in captive portal

Mr. Jingles · Jul 27, 2014, 10:03 AM

MAC address -> static IP (in DHCP server) -> firewall rule?

m4st3rc1p0 · Jul 28, 2014, 1:56 AM

i am not using a static IP, if static ip will be used that will be very tedious as client is using a dynamic one. So I am thinking if we can use mac address in pfsense firewall to filter all that has access only.

In some of the branded firewall this is already implemented.

MikeX · Jul 28, 2014, 9:33 PM

The short answer is… Not really/Get a switch with port security.

MAC addresses are layer 2 (switch level, frames), IP addresses are layer 3 (routing/internet/packet forwarding/etc). The configuration most enterprises use with MAC security is to prevent devices from obtaining IP addresses if they are unauthorized. Then, they can lock down which authorized devices can access resources by way of DHCP leases.

m4st3rc1p0 · Jul 29, 2014, 12:41 AM

hi Mike,

Got you point however, my scenario is different i am treating all inside my LAN is my client. The only difference is that some of them may have internet and some of them will only be accessing internal applications.

If PFSense can do the mac address filtering via its firewall rules that will be great as this will only serve client that can or should have an access over the net.

I hope PFSense team will include this in their future build.

TIA

Guest · Jul 30, 2014, 12:46 PM

You could create vlans as most companies do.. but again you'd need a switch that at least supports vlan tagging.

Guest · Jul 30, 2014, 1:38 PM

Looking at current packages, take a look at Ipguard-dev - see if that'll do what you need.

rjcrowder · Jul 30, 2014, 5:05 PM

You could manually do it by adding rules to the ipfw firewall… I have this working by doing the following...

1.) Turn on the captive portal to enable the ipfw firwall
2.) Create a script to add my own rules and "skip over" the default portal rules
3.) Modified the captive portal page that loads rules to call my script.

m4st3rc1p0 · Jul 30, 2014, 11:15 PM

Can you share the script.

rjcrowder · Jul 31, 2014, 2:45 AM

See this thread… https://forum.pfsense.org/index.php?topic=71198.0