Bug #11115


Pfsense MAC Control Feature Request

Added by Pankaj Mathur 12 months ago. Updated 11 months ago.

Aliases / Tables
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


This is an actual problem that I am facing while working on home automation project.

Here is a descriptive write up of the request -

Feel free to use or discard details as pfSense team sees fit.


MAC_Deny_Textbox.png (15.7 KB) MAC_Deny_Textbox.png Actual MAC Deny text box in UI Pankaj Mathur, 11/29/2020 10:40 PM
Actions #1

Updated by A FL 12 months ago

I've read the gdoc..but i would propose to reject this issue

But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.

DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.

If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.

Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)

Actions #3

Updated by Jim Pingle 12 months ago

  • Status changed from New to Rejected

If you need to deny that many MACs from DHCP you've got an L2 or design issue, not a GUI problem.

Actions #4

Updated by Pankaj Mathur 12 months ago

Hi Jim,

This network is for my house and my needs are as follows:
- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces
- Add IoTs to a dedicated LAN
- Not allow IoTs to get on Guest LAN

What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?
I am not a network professional and will appreciate any pointers if there are better ways of doing above things.


Actions #5

Updated by Jim Pingle 12 months ago

Post on the forum. This is not a site for that kind of discussion.

Actions #6

Updated by Pankaj Mathur 11 months ago

Hi Jim,

Just wanted to post a closure as other non-networking folks may get the same idea!

I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with VLAN. Totally understand (now) what you said in your comment above.

Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.

Have a great 2021!



Also available in: Atom PDF