I guess my real goal is that anywhere a IP address can be used in
pfSense, a MAC address could be used also, but the MAC address would
simply be replaced with whatever it's IP is in the arp table. Of course
some things like the LAN IP, ect would not work this way.
Mostly talking about the Firewall, Traffic Shaper, and Virtual IPs.
I work with a very large DHCP network, 1,000+ users. I do not have any
control over the devices connecting, and the devices do not stay the
same. Further more this is a wireless network, so users are roaming
between access points. No login or any way to ID the device. It has been
requested that all Blocking/Traffic shaping take place on the firewall,
not switches.
When i discover a device hogging bandwidth, acting bad, ect. I would
like to have the ability to do any of the following, block it, traffic
shape, or give it a 1:1 NAT
Currently i have to the following
1) Add the MAC and IP in the DHCP server, this will make sure the device
IP stays the same.
2) Add the offending IP to a aliases that corresponds to what i want to
do, (traffic Shape, firewall)
3) Removing the MAC to IP in the DHCP server after a certain amount of
time, usually 1 month, if i remember.
It would be nice if could just
1) Add the MAC address to an aliases/rule. pfSense looks up the MAC in
the ARP Table. If the MAC exists, use the IP corresponding with it. If
the MAC doesn't exist, then ignore it.
I guess it's not as big as a deal after reading through it again, though
i do see why it would come in useful
I don't really care about the spoofing aspect of it, as 90% of the
people connecting to our network, can't even check there own IP settings.
Adam
Gary Buckmaster wrote:
MAC address filtering is of extremely limited utility. It is just as
trivial to spoof a MAC address as it is to spoof an IP address. The
problems you are trying to solve are already solved with captive
portal and a judicious use of DHCP. If you require further layers of
obtuseness, you can employ port-level security on your switches.
apiase...@midatlanticbb.com wrote:
Yeah, I was hoping to get around that, by simply adding the MAC
address to a firewall rule, and pfSense would check the ARP table and
use the appropriate IP address automatically.
So i guess it's not true layer 2 filtering, but its close enough.
Adam
Tim Nelson wrote:
MAC to IP address tracking is handled by the ARP package. :-)
All joking aside, maybe you want to look at static DHCP assignments
denying unknown clients or the captive portal?
Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105
----- apiase...@midatlanticbb.com wrote:
Are there any plans on adding this feature, or MAC to IP Address
tracking. I would be willing to submit an bounty if it's
technically possible.
This is very useful for hotels, airports, & wifi hot spots. Where you
want to block an PC that is using DHCP.
I've actually never seen this feature in a firewall,
Adam
Gary Buckmaster wrote:
pfSense does not do firewalling based on MAC address.
Quirino Santilli wrote:
Hello guys,
I need to build a bridging firewall with MAC address based rules.
Is
pfsense capable of doing the trick?
If not (as I guessed from the features) how can I achieve my goal?
Thank you for the help.
r3N0oV4
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3865 (20090218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3865 (20090218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3865 (20090218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
