Wireless AP and MAC filtering

  • Hey guys. I've finally built and setup my wireless router replacement in the form of pfsense 1.2. I've been dying to get this thing up and running and now its finally set!

    There is one problem.

    I want my wireless clients to only be able to associate with my AP if their MAC is in the white list of known MACs. This is a basic function of even the cheapest piece of crap wireless home router. For some reason I can't find this feature in pfsense.

    What I did find was under Services->DHCP a list of MACs used with a checkbox for Deny Unknown MAC. I am using this feature and it does indeed prevent MACs not in the list from getting a dhcp assigned IP. However wireless clients can instead choose to manually configure their IP and thus bypass this ENTIRE feature.

    Does pfsense have a better way to whitelist MACs on association with the access point? Currently my wireless security is equal to nothing. Switching from WEP to WPA is irrelevent as I require a MAC whitelist regardless of the encryption scheme used.

    Any help is greatly appreciated.

  • Try to read a bit further down on the config page and you will find the checkbox "Enable Static ARP entries"

    Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

  • FreeBSD does have MAC whitelisting/blacklisting via wlan_acl, but probably because the feature doesn't really make anything more secure, no one has bothered to add the feature to the GUI. You could issue the commands manually, but you would probably break your wireless config in the process. If someone was really interested in this, they could code it themselves and send in the patches, or start a bounty.

  • Static ARP tables sounds more like a method to stop ARP spoofing than a MAC filter.

    In any case do these static ARP tables REQUIRE an IP to be bound to them(in GUI)? Or can I statically assign IPs as long as the MAC is in that list?

    P.S. I don't see why no one would bother to include such an obvious feature. MAC filtering requires MAC spoofing to bypass which is more secure than, say, SSID cloaking which is probably the most useless attempt at security in the entire feature list. Yet SSID hiding is part of the GUI so I think MAC filtering should be also.

  • Ok so I checked that static ARP thing as suggested and got a call from various wireless clients saying they have NO access! Their MACs are most certainly in the MAC list at the bottom of the UI. I've since disabled it.

    Seriously wtf guys? Can pfsense do basic MAC filtering or not?

  • Maybe you're better off with another solution since you obviously have a "wtf guys" stance to this problem….

    Maybe if you read what dotdash wrote you'd know that is is "possible" to do it manually.
    You would have to hack around a bit.

    Also if you'd actually used the search-function of this forum: there are threads around that explain how this "static ARP" works.
    As the name suggests, it adds STATIC arp entries. Meaning you have a fixed IP to each MAC.Your clients have to use the IP you set on this list.
    Or they just set themself as DHCP client and dont even have to set manually an IP.

    If your normal everyday client has to setup static IP's then something's really wrong in your network.

  • Considering the lack of features my stance is appropriate. Yes static ARP sounds dandy but it doesn't seem to WORK. I've added all the MACs I require in the list and deny those that aren't. I've checked static ARP. ALL OF MY WIRELESS CLIENTS ARE USING STATIC IPS. They were COMPLETELY and UTTERLY UNABLE to associate with the AP after this static ARP thing.

    As for setting the static IP desired along with the MAC in the list, I haven't done that. The reason being that the genius application tells me that I cannot add the IP because its "within the range of IPs". Duh its in the range of IPs for the wireless subnet! Isn't that the point!? So yes I haven't added the static IPs I use along with the MACs in the list due to this idiotic behavior. Perhaps if I can wrestle with the poor design I can get it to work you think?

    I'll try that when I get some time to spend the mandatory hack time to get basic functionality to work on this platform.

  • Lack of features… I'm sorry if you cannot configure the features you have at hand....

    Ok: just to be sure that i'm not dreaming: I've set up exactly what you want.
    A wireless client with a static IP, and static ARP enabled, pfSense 1.2_release
    It definitly does work.

    Do you know how ARP works?

    The local machine (local IP) wants to communicate with another IP.
    It does a broadcast on the MAC layer (FF:FF:FF:FF:FF:FF): "Who has this IP, answer please to 01:23:45:67:89:01".
    If there is a computer around with this IP it will answer.
    From this point on you have an entry for this IP in your ARP table.
    The ARP table is nothing else than a list of MAC/IP pairs.

    Now the feature of static ARP is, that you write this list yourself.
    After you enable static ARP, pfSense will no longer try to determine new MAC/IP pairs,
    since it already has all the MAC/IP pairs it needs to know.
    Meaning you HAVE to write the correct IP/MAC pairs into the list.

    This "idiotic behavior" you're experiencing is because you tried to assign an IP out of the range out of which your dynamic clients get IP's.
    You cannot assign IP's out of this range statically. (Which makes sense if you think about it for a second).

    Jut set that range to something you dont use. (like x.x.x.253 - x.x.x.254)

  • I know exactly how ARP tables and how the protocol works, thank you. If you read my above post you'd realize that I cannot enter an IP along with the MAC because of what I call, idiotic behavior.

    You seem to think I entered an IP outside the range, as if I didn't think of this already. Here is a screen shot to clarify that I am INDEED setting an IP WELL WITHIN THE RANGE and it STILL THROWS AN ERROR.

  • This "idiotic behavior" you're experiencing is because you tried to assign an IP out of the range out of which your dynamic clients get IP's.
    You cannot assign IP's out of this range statically. (Which makes sense if you think about it for a second).

  • As you can see by the screenshot I'm not assigning IPs OUTSIDE of the range. If you'd LOOK at the screenshot you'd see that its complaining about assigning an IP INSIDE THE RANGE. Is everyone here RETARDED?

  • Why are you so aggressive? What GruensFroeschli means is that it is not possible to assign an IP that is within this range!!! So, why don't you just try it with another IP? Maybe you first fix your English skills. People here in this forum want to help, but they are not just a customer service for enraged clients.

  • I'll put it in very easy words:

    Your IP range:          [ to]
    Your DHCP range:      [ to]
    allowed static entries: [ to] and [ to]
    entry in screenshot:

    As you can see the entry in your screenshot is NOT in the allowed range.

  • I see. The problem is that the range given is the range of DHCP IPs. So I must use IPs not in the range specified when considering static IPs. I understand now. Your explanation was just what I needed. Thank you!

    This is still a rather round-about way to provide MAC filtering but if it works I will take it. I will test when I get home from work.

  • Static entries below can still be provided via DHCP.
    Just dont set a dynamic range.
    Since you're using static MAC all clients have to be in the list.

  • Alphis, its too hard to understand that if your client falls into the "dynamic range" it is a contradiction to have it into the "static arp entries" ?

    If you want something to have static ARP, place him outside DHCP dynamic range !

    duhhh !!!

Log in to reply