Instead of IP address use mac address to allow internet in firewall rules

  • Can this be done on PFSense instead of using the IP address to give access on the internet we use mac address on the firewall rules.

    Of course i know this is possible in captive portal, but i dont want to use captive portal as i cannot set rules on client residing in captive portal

  • MAC address -> static IP (in DHCP server) -> firewall rule?

  • i am not using a static IP, if static ip will be used that will be very tedious as client is using a dynamic one. So I am thinking if we can use mac address in pfsense firewall to filter all that has access only.

    In some of the branded firewall this is already implemented.

  • The short answer is… Not really/Get a switch with port security.

    MAC addresses are layer 2 (switch level, frames), IP addresses are layer 3 (routing/internet/packet forwarding/etc). The configuration most enterprises use with MAC security is to prevent devices from obtaining IP addresses if they are unauthorized. Then, they can lock down which authorized devices can access resources by way of DHCP leases.

  • hi Mike,

    Got you point however, my scenario is different i am treating all inside my LAN is my client. The only difference is that some of them may have internet and some of them will only be accessing internal applications.

    If PFSense can do the mac address filtering via its firewall rules that will be great  as this will only serve client that can or should have an access over the net.

    I hope PFSense team will include this in their future build.


  • You could create vlans as most companies do.. but again you'd need a switch that at least supports vlan tagging.

  • Looking at current packages, take a look at Ipguard-dev - see if that'll do what you need.

  • You could manually do it by adding rules to the ipfw firewall… I have this working by doing the following...

    1.) Turn on the captive portal to enable the ipfw firwall
    2.) Create a script to add my own rules and "skip over" the default portal rules
    3.) Modified the captive portal page that loads rules to call my script.

  • Can you share the script.

Log in to reply