Firewall Rule to Allow Access by MAC Address

Started by ggalt, April 11, 2016, 08:22:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 11, 2016, 08:22:40 PM
All:

I'm new to OPNsense, so it may be that I just can't find the correct location for this option, but is it possible to filter (block or allow) traffic based on MAC Address?  I'm thinking of a simply rule like: /sbin/iptables -A INPUT -m mac --mac-source 01:00:E6:9A:14:B8 -j DROP.  Any thoughts?

George
April 11, 2016, 10:06:33 PM #1
Hi George,

MAC addresses are not covered by FreeBSD's ipfw(4) and pf(4) packet filters which OPNsense uses. You can, however, use the captive portal functionality to allow access only to specific MAC addresses in the advanced configuration, see "Allowed MAC addresses".


Cheers,
Franco
April 11, 2016, 10:12:09 PM #2
Franco:

Thanks.  As you can probably guess from my use of an iptables rule, I've got more familiarity with Linux.  I'll take a look at Captive Portals and see what I can do.

George
April 11, 2016, 10:14:42 PM #3
Blocking MAC addresses does not come up very often. It's likely that we can help with the actual use case more. :)
April 12, 2016, 03:18:01 AM #4
Franco:
The use case is rather simple.  I want to prevent my children from accessing the Internet during certain hours (10 p.m. to 7 a.m.), but they have to be able to access the internal network to use resources (i.e. printers, shared drives, etc).  At the same time, I don't want to limit my (or my wife's) access to the Internet. 

My thought was to get the MAC addresses for my devices and those of my wife, set a rule to block all external traffic from 10 p.m. to 7 a.m., with another rule to allow traffic from the whitelist of devices.

I did a quick read over the Captive Portal documentation and it seems like overkill -- mostly the need to log in will have a very low WAF.  I'll have to continue hunting for an approach.  If you have any thoughts about another way to address this use case, I'd enjoy hearing about it.

Thanks,

George
September 08, 2016, 10:54:33 AM #5 Last Edit: September 08, 2016, 01:27:08 PM by vinz
sorry for diggin' in the graveyard

I'm new to OPNsense.
This is an interesting usecase, what was or could be the solution for this?

thanks, vinz

p.s: I am aware that this approach is not for professional use, if I was your son, I'd spoofe the mac.
One thought, you can join MACs to IPs in DHCP server, so you could move your problem to blocking IPs, if posible?
September 19, 2016, 12:38:19 AM #6
Hi vinz,

(a) enforcing mac-pass-through via Captive Portal.

(like you suggested) (b) setting up a DHCP server with MAC mappings, rejecting unknown clients and only passing known IPs.

(c) use an external device like a intelligent switch to lock down MAC access

(d) maybe Suricata IPS rules can do MAC filtering too (definitely not in the OPNsense GUI if Suricata can actually do it)

(e) Writing a C utility based on Netmap (it's what Suricata does for IPS) to parse Ethernet headers and reject unknown senders/receivers/both.

These are the things I can think of in ascending order of complexity short of starting to work on the FreeBSD kernel. :)


Cheers,
Franco
Print
Go Up Pages1
User actions