Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rule to Allow Access by MAC Address
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Rule to Allow Access by MAC Address (Read 15104 times)
ggalt
Newbie
Posts: 5
Karma: 1
Firewall Rule to Allow Access by MAC Address
«
on:
April 11, 2016, 08:22:40 pm »
All:
I'm new to OPNsense, so it may be that I just can't find the correct location for this option, but is it possible to filter (block or allow) traffic based on MAC Address? I'm thinking of a simply rule like: /sbin/iptables -A INPUT -m mac --mac-source 01:00:E6:9A:14:B8 -j DROP. Any thoughts?
George
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #1 on:
April 11, 2016, 10:06:33 pm »
Hi George,
MAC addresses are not covered by FreeBSD's ipfw(4) and pf(4) packet filters which OPNsense uses. You can, however, use the captive portal functionality to allow access only to specific MAC addresses in the advanced configuration, see "Allowed MAC addresses".
Cheers,
Franco
Logged
ggalt
Newbie
Posts: 5
Karma: 1
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #2 on:
April 11, 2016, 10:12:09 pm »
Franco:
Thanks. As you can probably guess from my use of an iptables rule, I've got more familiarity with Linux. I'll take a look at Captive Portals and see what I can do.
George
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #3 on:
April 11, 2016, 10:14:42 pm »
Blocking MAC addresses does not come up very often. It's likely that we can help with the actual use case more.
Logged
ggalt
Newbie
Posts: 5
Karma: 1
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #4 on:
April 12, 2016, 03:18:01 am »
Franco:
The use case is rather simple. I want to prevent my children from accessing the Internet during certain hours (10 p.m. to 7 a.m.), but they have to be able to access the internal network to use resources (i.e. printers, shared drives, etc). At the same time, I don't want to limit my (or my wife's) access to the Internet.
My thought was to get the MAC addresses for my devices and those of my wife, set a rule to block all external traffic from 10 p.m. to 7 a.m., with another rule to allow traffic from the whitelist of devices.
I did a quick read over the Captive Portal documentation and it seems like overkill -- mostly the need to log in will have a very low WAF. I'll have to continue hunting for an approach. If you have any thoughts about another way to address this use case, I'd enjoy hearing about it.
Thanks,
George
Logged
vinz
Newbie
Posts: 21
Karma: 1
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #5 on:
September 08, 2016, 10:54:33 am »
sorry for diggin' in the graveyard
I'm new to OPNsense.
This is an interesting usecase, what was or could be the solution for this?
thanks, vinz
p.s: I am aware that this approach is not for professional use, if I was your son, I'd spoofe the mac.
One thought, you can join MACs to IPs in DHCP server, so you could move your problem to blocking IPs, if posible?
«
Last Edit: September 08, 2016, 01:27:08 pm by vinz
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Firewall Rule to Allow Access by MAC Address
«
Reply #6 on:
September 19, 2016, 12:38:19 am »
Hi vinz,
(a) enforcing mac-pass-through via Captive Portal.
(like you suggested) (b) setting up a DHCP server with MAC mappings, rejecting unknown clients and only passing known IPs.
(c) use an external device like a intelligent switch to lock down MAC access
(d) maybe Suricata IPS rules can do MAC filtering too (definitely not in the OPNsense GUI if Suricata can actually do it)
(e) Writing a C utility based on Netmap (it's what Suricata does for IPS) to parse Ethernet headers and reject unknown senders/receivers/both.
These are the things I can think of in ascending order of complexity short of starting to work on the FreeBSD kernel.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall Rule to Allow Access by MAC Address