Firewall filter - allow inbound access by MAC address

[SomebodySysop]

I have to open a WAN port in my firewall to allow access to VPN.  I have only 3 devices I will ever use to access my VPN server (running on Synology) away from home. 

I was wondering if there was a way to construct a rule in OPNsense which would only allow the MAC addresses of those 3 devices to pass through the WAN at that port?

I have read that, in general, opnsense (and pfsense) do not allow for external MAC filtering because their Linux kernels don't support it.  However, I have also seen mention of something called "captive portal" which might be able to do it.  And, I just saw this article on using pi-hole to see the MAC and IP addresses of external servers: https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/#page-content.

So, thought I'd pose the question here in case someone has done it or knows how to do it.

[ajm]

https://en.wikipedia.org/wiki/MAC_address

[SomebodySysop]

https://en.wikipedia.org/wiki/MAC_address

So, can I filter by MAC using firewall rules in OPNsense?

[senser]

No, MAC addresses work on layer 2 (hop to hop) and the filter of opnsense works on layer 3 (end to end) and 4 (transport).
https://www.practicalnetworking.net/series/packet-traveling/packet-traveling/

[lilsense]

if FreeBSD you can use ipfw to block MAC addresses for layer 2.

on a PF, however, you would need to create a bridge, then you can filter MAC on the bridge.


Just to be clear, you need no rule for outbound traffic to the WAN side.

[SomebodySysop]

OK, then, can I filter by MAC on the LAN side?  That is, once a device is allowed through the WAN side of firewall, can I capture it's MAC on the LAN side to determine if it is allowed to proceed to the port of the internal host?

And if so, how?

[lilsense]

Instead of relying on MAC I would recommend locking down the VPN since there are only going to be 3 devices by using ultra long paswords, etc.

you can place your VPN in a VPN zone and create a specific rule based on the IP to access the devices.

[SomebodySysop]

Instead of relying on MAC I would recommend locking down the VPN since there are only going to be 3 devices by using ultra long paswords, etc.

you can place your VPN in a VPN zone and create a specific rule based on the IP to access the devices.

Got it!  Thanks. 

[zbig]

I have done it using aliases. Defined an alias of type “MAC Address” under “Firewall / Aliases” and referred to it in my firewall rule as a source. Not sure how it works exactly under the hood. I believe it just resolves the MAC to IP when the time to reload aliases comes and uses that IP in the packet filter from now on so it might not be accurate/secure enough in some cases?