Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Wireless AP and MAC filtering

    Wireless
    5
    16
    8965
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alphis last edited by

      Hey guys. I've finally built and setup my wireless router replacement in the form of pfsense 1.2. I've been dying to get this thing up and running and now its finally set!

      There is one problem.

      I want my wireless clients to only be able to associate with my AP if their MAC is in the white list of known MACs. This is a basic function of even the cheapest piece of crap wireless home router. For some reason I can't find this feature in pfsense.

      What I did find was under Services->DHCP a list of MACs used with a checkbox for Deny Unknown MAC. I am using this feature and it does indeed prevent MACs not in the list from getting a dhcp assigned IP. However wireless clients can instead choose to manually configure their IP and thus bypass this ENTIRE feature.

      Does pfsense have a better way to whitelist MACs on association with the access point? Currently my wireless security is equal to nothing. Switching from WEP to WPA is irrelevent as I require a MAC whitelist regardless of the encryption scheme used.

      Any help is greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        Try to read a bit further down on the config page and you will find the checkbox "Enable Static ARP entries"

        Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

        1 Reply Last reply Reply Quote 0
        • dotdash
          dotdash last edited by

          FreeBSD does have MAC whitelisting/blacklisting via wlan_acl, but probably because the feature doesn't really make anything more secure, no one has bothered to add the feature to the GUI. You could issue the commands manually, but you would probably break your wireless config in the process. If someone was really interested in this, they could code it themselves and send in the patches, or start a bounty.

          1 Reply Last reply Reply Quote 0
          • A
            alphis last edited by

            Static ARP tables sounds more like a method to stop ARP spoofing than a MAC filter.

            In any case do these static ARP tables REQUIRE an IP to be bound to them(in GUI)? Or can I statically assign IPs as long as the MAC is in that list?

            P.S. I don't see why no one would bother to include such an obvious feature. MAC filtering requires MAC spoofing to bypass which is more secure than, say, SSID cloaking which is probably the most useless attempt at security in the entire feature list. Yet SSID hiding is part of the GUI so I think MAC filtering should be also.

            1 Reply Last reply Reply Quote 0
            • A
              alphis last edited by

              Ok so I checked that static ARP thing as suggested and got a call from various wireless clients saying they have NO access! Their MACs are most certainly in the MAC list at the bottom of the UI. I've since disabled it.

              Seriously wtf guys? Can pfsense do basic MAC filtering or not?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                Maybe you're better off with another solution since you obviously have a "wtf guys" stance to this problem….

                Maybe if you read what dotdash wrote you'd know that is is "possible" to do it manually.
                You would have to hack around a bit.

                Also if you'd actually used the search-function of this forum: there are threads around that explain how this "static ARP" works.
                As the name suggests, it adds STATIC arp entries. Meaning you have a fixed IP to each MAC.Your clients have to use the IP you set on this list.
                Or they just set themself as DHCP client and dont even have to set manually an IP.

                If your normal everyday client has to setup static IP's then something's really wrong in your network.

                1 Reply Last reply Reply Quote 0
                • A
                  alphis last edited by

                  Considering the lack of features my stance is appropriate. Yes static ARP sounds dandy but it doesn't seem to WORK. I've added all the MACs I require in the list and deny those that aren't. I've checked static ARP. ALL OF MY WIRELESS CLIENTS ARE USING STATIC IPS. They were COMPLETELY and UTTERLY UNABLE to associate with the AP after this static ARP thing.

                  As for setting the static IP desired along with the MAC in the list, I haven't done that. The reason being that the genius application tells me that I cannot add the IP because its "within the range of IPs". Duh its in the range of IPs for the wireless subnet! Isn't that the point!? So yes I haven't added the static IPs I use along with the MACs in the list due to this idiotic behavior. Perhaps if I can wrestle with the poor design I can get it to work you think?

                  I'll try that when I get some time to spend the mandatory hack time to get basic functionality to work on this platform.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschli
                    GruensFroeschli last edited by

                    Lack of features… I'm sorry if you cannot configure the features you have at hand....

                    Ok: just to be sure that i'm not dreaming: I've set up exactly what you want.
                    A wireless client with a static IP, and static ARP enabled, pfSense 1.2_release
                    It definitly does work.

                    Do you know how ARP works?

                    The local machine (local IP) wants to communicate with another IP.
                    It does a broadcast on the MAC layer (FF:FF:FF:FF:FF:FF): "Who has this IP, answer please to 01:23:45:67:89:01".
                    If there is a computer around with this IP it will answer.
                    From this point on you have an entry for this IP in your ARP table.
                    The ARP table is nothing else than a list of MAC/IP pairs.

                    Now the feature of static ARP is, that you write this list yourself.
                    After you enable static ARP, pfSense will no longer try to determine new MAC/IP pairs,
                    since it already has all the MAC/IP pairs it needs to know.
                    Meaning you HAVE to write the correct IP/MAC pairs into the list.

                    This "idiotic behavior" you're experiencing is because you tried to assign an IP out of the range out of which your dynamic clients get IP's.
                    You cannot assign IP's out of this range statically. (Which makes sense if you think about it for a second).

                    Jut set that range to something you dont use. (like x.x.x.253 - x.x.x.254)

                    1 Reply Last reply Reply Quote 0
                    • A
                      alphis last edited by

                      I know exactly how ARP tables and how the protocol works, thank you. If you read my above post you'd realize that I cannot enter an IP along with the MAC because of what I call, idiotic behavior.

                      You seem to think I entered an IP outside the range, as if I didn't think of this already. Here is a screen shot to clarify that I am INDEED setting an IP WELL WITHIN THE RANGE and it STILL THROWS AN ERROR.

                      1 Reply Last reply Reply Quote 0
                      • GruensFroeschli
                        GruensFroeschli last edited by

                        This "idiotic behavior" you're experiencing is because you tried to assign an IP out of the range out of which your dynamic clients get IP's.
                        You cannot assign IP's out of this range statically. (Which makes sense if you think about it for a second).

                        1 Reply Last reply Reply Quote 0
                        • A
                          alphis last edited by

                          As you can see by the screenshot I'm not assigning IPs OUTSIDE of the range. If you'd LOOK at the screenshot you'd see that its complaining about assigning an IP INSIDE THE RANGE. Is everyone here RETARDED?

                          1 Reply Last reply Reply Quote 0
                          • M
                            Monoecus last edited by

                            Why are you so aggressive? What GruensFroeschli means is that it is not possible to assign an IP that is within this range!!! So, why don't you just try it with another IP? Maybe you first fix your English skills. People here in this forum want to help, but they are not just a customer service for enraged clients.

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschli
                              GruensFroeschli last edited by

                              I'll put it in very easy words:

                              Your IP range:          [192.168.2.1 to 192.168.2.254]
                              (assumed)pfSense:    192.168.2.1
                              Your DHCP range:      [192.168.2.100 to 192.168.2.200]
                              allowed static entries: [192.168.2.2 to 192.168.2.99] and [192.168.2.201 to 192.168.2.254]
                              entry in screenshot:    192.168.2.109

                              As you can see the entry in your screenshot is NOT in the allowed range.

                              1 Reply Last reply Reply Quote 0
                              • A
                                alphis last edited by

                                I see. The problem is that the range given is the range of DHCP IPs. So I must use IPs not in the range specified when considering static IPs. I understand now. Your explanation was just what I needed. Thank you!

                                This is still a rather round-about way to provide MAC filtering but if it works I will take it. I will test when I get home from work.

                                1 Reply Last reply Reply Quote 0
                                • GruensFroeschli
                                  GruensFroeschli last edited by

                                  Static entries below can still be provided via DHCP.
                                  Just dont set a dynamic range.
                                  Since you're using static MAC all clients have to be in the list.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JorgeAldoBR last edited by

                                    Alphis, its too hard to understand that if your client falls into the "dynamic range" it is a contradiction to have it into the "static arp entries" ?

                                    If you want something to have static ARP, place him outside DHCP dynamic range !

                                    duhhh !!!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post

                                    Products

                                    • Platform Overview
                                    • TNSR
                                    • pfSense Plus
                                    • Appliances

                                    Services

                                    • Training
                                    • Professional Services

                                    Support

                                    • Subscription Plans
                                    • Contact Support
                                    • Product Lifecycle
                                    • Documentation

                                    News

                                    • Media Coverage
                                    • Press
                                    • Events

                                    Resources

                                    • Blog
                                    • FAQ
                                    • Find a Partner
                                    • Resource Library
                                    • Security Information

                                    Company

                                    • About Us
                                    • Careers
                                    • Partners
                                    • Contact Us
                                    • Legal
                                    Our Mission

                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                    Subscribe to our Newsletter

                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                    © 2021 Rubicon Communications, LLC | Privacy Policy