Restrict (internet) access to certain MAC addresses at specific times



  • I would like to restrict my daughters iPad, Android mobile and desktop computer from accessing the internet after 9PM until 7AM.
    Is there a way to do this within pfSense? If so, could you explain how to?  ;D



  • There are lots of posts on this forum and elsewhere on the internet if you Google for the information. Here are two links for starters:

    https://forum.pfsense.org/index.php?topic=22598.0
    https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

    The rest I'm sure you can find if you look.



  • Thanks for the reply.
    The problem is that this is done by IP and not by MAC address.
    I would like to block on MAC address instead.

    If my daughter is smart enough, and she probably is, she will just change her current IP address and go past the firewall rule I set up.


  • Banned

    There is no such feature in pf packet filter.



  • @Panja:

    Thanks for the reply.
    The problem is that this is done by IP and not by MAC address.
    I would like to block on MAC address instead.

    Why not set your DHCP service on your PFS to issue static-only addresses and bind her PC's MAC to a single address? You may find you can do the same thing on your wifi AP, assuming she's using wifi to connect. You can then apply your firewall rule to her machine via the static IP she receives.



  • @doktornotor
    That's a pity. But thanks for clearing that up.

    @muswellhillbilly
    I can give her a static IP through DHCP (static lease).
    But wouldn't it just be possible to change her IP manually on the phone, ipad etc?
    She can than pick an IP that is not blocked and still access the internet.


  • LAYER 8 Netgate

    Multi-SSID Wi-Fi, separate VLAN, and don't let her have the passphrase to the regular Wi-Fi.

    Re: the android, my kid would just turn off wifi and use cell data. End result, no phone. Does the iPad have cell data?



  • @Panja:

    I can give her a static IP through DHCP (static lease).
    But wouldn't it just be possible to change her IP manually on the phone, ipad etc?
    She can than pick an IP that is not blocked and still access the internet.

    So create a firewall rule which prevents all but the static addresses you define from getting internet access. Randomise the addresses - give her, say, 172.16.1.23 and something else 172.16.5.34 on a /16 subnet - and she would then have to try changing anything up to 255x255 possible addresses before finding one that might let her out. My bet is she'd lose interest fast and just learn to live with the rules you've set.


  • LAYER 8 Netgate

    There's always nmap, tcpdump, wireshark, etc, to do that work for her. Separate interface/VLAN is the only way to be sure.



  • Thanks all for thinking with me to find a solution! Cheers for that.

    We have 2 wifi access points to cover the house with signal. Both with the same SSID to have wireless "roaming".
    I would like to use VLAN's but I don't think it's possible with my setup at the moment.

    pfSsense box –> wireless access point 1 --> unmanaged switch  --> wireless account point 2

    Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.



  • @Panja:

    Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.

    To answer my own question: not possible…
    I can restrict logging on to the network, but already connected devices stay connected.
    So for instance if I set the user logon times to be available from 07.00 - 21.00 hours.
    When the device is connected between this hours and does not disconnect, than the connection is still available after 21.00 hours.
    Only when the device gets disconnected and tries to reconnect, than the connection is not available.


  • LAYER 8 Netgate

    If you want to create a discrete subnet/segment you'll need the gear for it.



  • I understand that but at the moment I don't have the (extra) gear for it.



  • @Panja:

    @Panja:

    Could the restrict access be done with FreeRadius? I'm going to setup radius for wifi authentication anyways.

    To answer my own question: not possible…
    I can restrict logging on to the network, but already connected devices stay connected.
    So for instance if I set the user logon times to be available from 07.00 - 21.00 hours.
    When the device is connected between this hours and does not disconnect, than the connection is still available after 21.00 hours.
    Only when the device gets disconnected and tries to reconnect, than the connection is not available.

    So setup a cron job to flush the states at 7:05.  It may interrupt a few legimate things, but it whacks the desired connections and then if they try to reconnect, they get hit by the scheduled block.


Log in to reply