OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • MAC address Deny
« previous next »
  • Print
Pages: [1]

Author Topic: MAC address Deny  (Read 2864 times)

Purple

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
MAC address Deny
« on: July 19, 2017, 05:14:34 am »
Hi All,

Im new to OPNsense, just a brief intro we are a non-profit organization and a school.

I would like to seek help from you guys on how to really control the access of our network we have so many unwanted users on-board our network that needed to be block using MAC address, I made quite a lot of MAC address denied but yet they are still able to login to the network and to some MAC address it can not be block, the reason behind controlling the use of our network is that we have a very small bandwidth.

Is there a way we can deny access by using the MAC address or an alternative solution of blocking or denying unwanted users.

Thank you OPNsense for a great firewall system it help a lot to our operation.   ;)
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1534
  • Karma: 166
    • View Profile
Re: MAC address Deny
« Reply #1 on: July 19, 2017, 08:21:14 am »
I would use DHCP to assign reservations to a network range which represents sanctioned MAC addresses and then set traffic shaping to prioritise that block with everybody else going to a different range. Presumably your throughput is pretty poor already and throttling the unsanctioned devices may stop the more enterprising users from setting a static IP in the fast lane range, since they're getting at least some internet traffic.

Bart...
Logged

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: MAC address Deny
« Reply #2 on: July 19, 2017, 10:07:21 am »
MAC addresses can be spoofed/cloned, so even sanctioning won't help you security wise.
Using NPS with certificates rolled out to the devices you do allow would be the beter way, imo.

But, seeing you're a non-profit and school probably means your budget isn't very high.
I would physically seperate the LANs. To keep students away from your most important systems.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • MAC address Deny
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2