Firewall rules by mac address for 2.3?

aGeekhere

Will we be able to make firewall rules with mac addresses instead of ips in 2.3?

heper

not likely. layer3 does not deal with mac

aGeekhere

in the arp table pfsense is able to get the mac address, can't it use that to check if the ip matches the mac address?

heper

what would be the point in matching ip's with mac addresses in rules ?
pf doesnt support layer2 stuff. if you want mac-filtering look at ipfw (captive portal)

also, what would be the point in doing macfiltering in the first place ? what advantage does it offer ?

aGeekhere

At the moment pfsense uses IPs for firewall rules, the problem is sometimes ips change making rules ineffective, where mac address normally do not change.

Anyway I guess you are right should be using a captive portal here.

phil.davis

If you already have known MAC addresses that you want to put in particular rules then you are already recording that MAC address data. So you can put them in as static-mapped DHCP entries. Then you know the IP address that will be given to each MAC address and you can use that IP address in rules.
e.g. I static map various systems in groupings of IP addresses that nicely fit a "fake subnet of the real LAN" and then it is easy to make a rule for any IP address that is in that range/"fake subnet".

If users have any devices on the LAN that they control then they can manually set their IP address or manually change their MAC address. So firewall rules that match by particular IP address or particular MAC address will both have the same issues if users are able to control their network settings on their devices. To lock down properly you would have to have proper separate subnets that each "class" of user are connected to and prevent them from connecting to a subnet that is not their "class of service".

xbipin

i always wanted this feature as well, to be able to have rules by mac ids because clients are sometimes smart and manually set a different ip in network settings and get over limiters or blocks etc, so far im using static arp but then i need to know the mac of each client in order to control their traffic

heper

if clients are smart enough to change an ip-address, then they can sure change their mac-address aswell

xbipin

changing mac they might not risk but changing ip is fairly easy