Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Web filtering by mac Address

    Firewalling
    4
    4
    1718
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      acrjlex last edited by

      Hello,

      I would like to filter web access based on MAC Address of a client. I have a list of all clients' MAC address, and I want to block access to Social Media during certain hours. After searching, DansGuardian could do the job for groups and time-based block, but their FAQ clearly says their is no way to filter using MAC. Is it possible with another module on a pfSense device?

      Just to be sure, Here is what I want to do:

      Group 1:

      LIST OF MAC ADRESS:

      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX

      Blocked Sites list:

      blockedsites.conf

      Time to block:

      5 to 6pm, 4 to 5 am, etc.
      –-----------------------------------------------------------------
      Group 2:

      LIST OF MAC ADRESSES:

      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      XX:XX:XX:XX:XX
      (up to hundred per list!)

      Blocked Sites list:

      blockedsites.conf (same websites are blocked)

      Time to block:

      Different times than group 1

      If possible, I'd like to block using DNS rather than IP, because a well-know social media (no ad...) changes its IP depending on workload and location, leading IP block almost useless.

      Thanks,
      Acrilex

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        Firewall rules are by IP address. You can give each device a static-mapped DHCP entry so each device gets the same IP address every time. Then filter on that IP address(es).
        People with their own client devices can always:
        a) Set their own IP address in the device
        b) Change their MAC address to whatever they like

        If you have the type of people that are trying to get around restrictions by doing that sort of thing, then there is really nothing you can do about it if you have them all on a shared subnet. To really control you need every device in its own broadcast domain (=subnet on its own LAN or VLAN). Then it does not matter what they do - the rules for their VLAN can always apply regardless of the MAC address they spoof or static IP they try.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • T
          Trel last edited by

          @phil.davis:

          If you have the type of people that are trying to get around restrictions by doing that sort of thing, then there is really nothing you can do about it if you have them all on a shared subnet.

          That's a hardware issue.  It means the user is too low on bruises.  You need to add some.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Use port security and lock their switchport to their MAC address.  Set it to errdisable the port if they try to spoof it so they have to call you to get back on at all.

            To be clear, this would be in your switch - not pfSense.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post