MAC address Deny

[Purple]

Hi All,

Im new to OPNsense, just a brief intro we are a non-profit organization and a school.

I would like to seek help from you guys on how to really control the access of our network we have so many unwanted users on-board our network that needed to be block using MAC address, I made quite a lot of MAC address denied but yet they are still able to login to the network and to some MAC address it can not be block, the reason behind controlling the use of our network is that we have a very small bandwidth.

Is there a way we can deny access by using the MAC address or an alternative solution of blocking or denying unwanted users.

Thank you OPNsense for a great firewall system it help a lot to our operation.   

[bartjsmit]

I would use DHCP to assign reservations to a network range which represents sanctioned MAC addresses and then set traffic shaping to prioritise that block with everybody else going to a different range. Presumably your throughput is pretty poor already and throttling the unsanctioned devices may stop the more enterprising users from setting a static IP in the fast lane range, since they're getting at least some internet traffic.

Bart...

[weust]

MAC addresses can be spoofed/cloned, so even sanctioning won't help you security wise.
Using NPS with certificates rolled out to the devices you do allow would be the beter way, imo.

But, seeing you're a non-profit and school probably means your budget isn't very high.
I would physically seperate the LANs. To keep students away from your most important systems.