Web filtering by mac Address

acrjlex

Hello,

I would like to filter web access based on MAC Address of a client. I have a list of all clients' MAC address, and I want to block access to Social Media during certain hours. After searching, DansGuardian could do the job for groups and time-based block, but their FAQ clearly says their is no way to filter using MAC. Is it possible with another module on a pfSense device?

Just to be sure, Here is what I want to do:

Group 1:

LIST OF MAC ADRESS:

XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX

Blocked Sites list:

blockedsites.conf

Time to block:

5 to 6pm, 4 to 5 am, etc.
–-----------------------------------------------------------------
Group 2:

LIST OF MAC ADRESSES:

XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
XX:XX:XX:XX:XX
(up to hundred per list!)

Blocked Sites list:

blockedsites.conf (same websites are blocked)

Time to block:

Different times than group 1

---

If possible, I'd like to block using DNS rather than IP, because a well-know social media (no ad...) changes its IP depending on workload and location, leading IP block almost useless.

Thanks,
Acrilex

phil.davis

Firewall rules are by IP address. You can give each device a static-mapped DHCP entry so each device gets the same IP address every time. Then filter on that IP address(es).
People with their own client devices can always:
a) Set their own IP address in the device
b) Change their MAC address to whatever they like

If you have the type of people that are trying to get around restrictions by doing that sort of thing, then there is really nothing you can do about it if you have them all on a shared subnet. To really control you need every device in its own broadcast domain (=subnet on its own LAN or VLAN). Then it does not matter what they do - the rules for their VLAN can always apply regardless of the MAC address they spoof or static IP they try.

Trel

@phil.davis:

If you have the type of people that are trying to get around restrictions by doing that sort of thing, then there is really nothing you can do about it if you have them all on a shared subnet.

That's a hardware issue.  It means the user is too low on bruises.  You need to add some.

Derelict

Use port security and lock their switchport to their MAC address.  Set it to errdisable the port if they try to spoof it so they have to call you to get back on at all.

To be clear, this would be in your switch - not pfSense.