[SOLVED] Block mac address

[fox983]

Hi, is there a way to block navigation on wan to a specific mac address? I don't find anything, eg. in firewall rule I can only set an IP address...

[weust]

AFAIK a MAC address isn't known outside the internal network. Meaning, it's not visible on the internet?
I could be wrong though.

[franco]

Packet filters normally don't allow filtering below the IP layer[1]. If you still want to do it, you will maybe have luck by modifying the ARP table manually.

[1] https://www.freebsd.org/doc/en/articles/filtering-bridges/article.html

[fox983]

Inside LAN mac address is known and I think it could be possible block or allow navigation through firewall. So through GUI isn't possible to block navigation? Many domestic router have this function. It could be nice also allocate more or less bandwidth, but this is another story 

[franco]

I was thinking you could use the captive portal MAC filtering and just have no accounts active on the login page?

[fox983]

Captive Portal seems working BUT I think it could be improved: if a user has internet access (without authentication) and I block his mac address, the only way is reboot the firewall, if not  PC continues to navigate. Trying to reboot Pc or Captive Portal with no success... If I reboot firewall, navigation on PC is denied.
Is it possible block navigation without rebooting?
Thank you

[weust]

And if that person changes the MAC address?

[fox983]

Change IP is easier than change mac address, rather best known...
Obviously changing mac address or IP is the way to bypass the block.

[fox983]

In Captive Portal - Allowed IP addresses is there a way to insert a range of IP instead of a single IP?

[franco]

Not yet, but I will record this as a feature request for the all new captive portal:

https://github.com/opnsense/core/issues/430