Is there a way to blacklist MAC addresses before they connect?

Started by hunterjwizzard, March 01, 2022, 01:40:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 01, 2022, 01:40:31 AM
I have a couple of devices I don't want ever connecting to the network. Is there a way to tell the OPNsense device "If this tries to connect, do not give it an IP address"? To be clear, I don't want the devices to connect and THEN add them to some kind of list, I want to be able to enter a MAC before a device is turned on and prevent it ever talking to the network. I know this is possible on my wireless access point via an ACL rule, but there has to be an option at the router level.
March 01, 2022, 06:56:44 AM #1
Only 802.1x on the switch. If the Firewall see the packet its already in
March 01, 2022, 07:28:49 AM #2
@hunterjwizzard the problem is that your firewall is not involved in traffic that is strictly local to the LAN. Your layer 2 device, i.e. switch must do that as @mimugmail already pointed out.

If PC A on the LAN is talking to PC B on the LAN the packets do not reach your OPNsense ...

Out of curiosity: why do you connect devices to the network that you don't want to talk to the network at all? E.g. I simply unplugged the Ethernet from my "smart" TV after I found out how crappy it was.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 01, 2022, 02:38:42 PM #3
You can use 802.x and use the OPNSense Radius service to control the MAC, or just use a managed switch and put in the MAC address in the block list of the switch...

You know, you can change the MAC on any OS, right? ;)
March 02, 2022, 02:46:47 AM #4
Quote from: pmhausen on March 01, 2022, 07:28:49 AM
Out of curiosity: why do you connect devices to the network that you don't want to talk to the network at all? E.g. I simply unplugged the Ethernet from my "smart" TV after I found out how crappy it was.

The latest crop of smart TVs are all wifi, otherwise I would just jam peanutbutter in the LAN port. In fact a smart TV is exactly one of the use cases - I can certainly never connect it myself, but I worry someone else in the household will try to "help" and end up bricking the damn thing with an automatic firmware update. Truly, smart tvs are the dumbest thing ever.

Quote from: lilsense on March 01, 2022, 02:38:42 PM
You can use 802.x and use the OPNSense Radius service to control the MAC, or just use a managed switch and put in the MAC address in the block list of the switch...

You know, you can change the MAC on any OS, right? ;)

You can change/spoof the MAC of a PC but generelly not an embedded device such as a smart tv or wall plug. So for example I can read the MAC off the back of the smart tv and then blacklist the stupid thing before it ever gets power.

Anyway, I will check out my core switch for MAC ACLS.

Thanks!
Print
Go Up Pages1
User actions