Is there a way to blacklist MAC addresses before they connect?

[hunterjwizzard]

I have a couple of devices I don't want ever connecting to the network. Is there a way to tell the OPNsense device "If this tries to connect, do not give it an IP address"? To be clear, I don't want the devices to connect and THEN add them to some kind of list, I want to be able to enter a MAC before a device is turned on and prevent it ever talking to the network. I know this is possible on my wireless access point via an ACL rule, but there has to be an option at the router level.

[mimugmail]

Only 802.1x on the switch. If the Firewall see the packet its already in

[Patrick M. Hausen]

@hunterjwizzard the problem is that your firewall is not involved in traffic that is strictly local to the LAN. Your layer 2 device, i.e. switch must do that as @mimugmail already pointed out.

If PC A on the LAN is talking to PC B on the LAN the packets do not reach your OPNsense ...

Out of curiosity: why do you connect devices to the network that you don't want to talk to the network at all? E.g. I simply unplugged the Ethernet from my "smart" TV after I found out how crappy it was.

[lilsense]

You can use 802.x and use the OPNSense Radius service to control the MAC, or just use a managed switch and put in the MAC address in the block list of the switch...

You know, you can change the MAC on any OS, right?

[hunterjwizzard]

Out of curiosity: why do you connect devices to the network that you don't want to talk to the network at all? E.g. I simply unplugged the Ethernet from my "smart" TV after I found out how crappy it was.

The latest crop of smart TVs are all wifi, otherwise I would just jam peanutbutter in the LAN port. In fact a smart TV is exactly one of the use cases - I can certainly never connect it myself, but I worry someone else in the household will try to "help" and end up bricking the damn thing with an automatic firmware update. Truly, smart tvs are the dumbest thing ever.

You can use 802.x and use the OPNSense Radius service to control the MAC, or just use a managed switch and put in the MAC address in the block list of the switch...

You know, you can change the MAC on any OS, right?

You can change/spoof the MAC of a PC but generelly not an embedded device such as a smart tv or wall plug. So for example I can read the MAC off the back of the smart tv and then blacklist the stupid thing before it ever gets power.

Anyway, I will check out my core switch for MAC ACLS.

Thanks!