OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Purple on July 19, 2017, 05:14:34 am

Title: MAC address Deny
Post by: Purple on July 19, 2017, 05:14:34 am
Hi All,

Im new to OPNsense, just a brief intro we are a non-profit organization and a school.

I would like to seek help from you guys on how to really control the access of our network we have so many unwanted users on-board our network that needed to be block using MAC address, I made quite a lot of MAC address denied but yet they are still able to login to the network and to some MAC address it can not be block, the reason behind controlling the use of our network is that we have a very small bandwidth.

Is there a way we can deny access by using the MAC address or an alternative solution of blocking or denying unwanted users.

Thank you OPNsense for a great firewall system it help a lot to our operation.   ;)
Title: Re: MAC address Deny
Post by: bartjsmit on July 19, 2017, 08:21:14 am
I would use DHCP to assign reservations to a network range which represents sanctioned MAC addresses and then set traffic shaping to prioritise that block with everybody else going to a different range. Presumably your throughput is pretty poor already and throttling the unsanctioned devices may stop the more enterprising users from setting a static IP in the fast lane range, since they're getting at least some internet traffic.

Bart...
Title: Re: MAC address Deny
Post by: weust on July 19, 2017, 10:07:21 am
MAC addresses can be spoofed/cloned, so even sanctioning won't help you security wise.
Using NPS with certificates rolled out to the devices you do allow would be the beter way, imo.

But, seeing you're a non-profit and school probably means your budget isn't very high.
I would physically seperate the LANs. To keep students away from your most important systems.