[SOLVED] Block mac address

Started by fox983, October 11, 2015, 02:18:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 11, 2015, 02:18:51 PM Last Edit: October 13, 2015, 07:22:08 AM by franco
Hi, is there a way to block navigation on wan to a specific mac address? I don't find anything, eg. in firewall rule I can only set an IP address...
October 11, 2015, 03:00:05 PM #1
AFAIK a MAC address isn't known outside the internal network. Meaning, it's not visible on the internet?
I could be wrong though.
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
October 11, 2015, 04:47:48 PM #2
Packet filters normally don't allow filtering below the IP layer[1]. If you still want to do it, you will maybe have luck by modifying the ARP table manually.

[1] https://www.freebsd.org/doc/en/articles/filtering-bridges/article.html
October 11, 2015, 11:01:54 PM #3
Inside LAN mac address is known and I think it could be possible block or allow navigation through firewall. So through GUI isn't possible to block navigation? Many domestic router have this function. It could be nice also allocate more or less bandwidth, but this is another story  ;D
October 12, 2015, 07:16:46 AM #4
I was thinking you could use the captive portal MAC filtering and just have no accounts active on the login page?
October 12, 2015, 12:02:25 PM #5
Captive Portal seems working BUT I think it could be improved: if a user has internet access (without authentication) and I block his mac address, the only way is reboot the firewall, if not  PC continues to navigate. Trying to reboot Pc or Captive Portal with no success... If I reboot firewall, navigation on PC is denied.
Is it possible block navigation without rebooting?
Thank you
October 12, 2015, 12:06:30 PM #6
And if that person changes the MAC address?
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.
October 12, 2015, 12:45:04 PM #7
Change IP is easier than change mac address, rather best known...
Obviously changing mac address or IP is the way to bypass the block.
October 12, 2015, 12:47:22 PM #8
In Captive Portal - Allowed IP addresses is there a way to insert a range of IP instead of a single IP?
October 13, 2015, 07:21:58 AM #9
Not yet, but I will record this as a feature request for the all new captive portal:

https://github.com/opnsense/core/issues/430
Print
Go Up Pages1
User actions