Pfsense MAC Control Feature Request
This is an actual problem that I am facing while working on home automation project.
Here is a descriptive write up of the request - https://docs.google.com/document/d/1AYLpF1sJ5bbJf6V3U-plH16xlzOJUW-PdBGdBxxT8r0/edit?usp=sharing
Feel free to use or discard details as pfSense team sees fit.
I've read the gdoc..but i would propose to reject this issue
But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.
DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.
If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.
Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)
Updated by Pankaj Mathur 12 months ago
This network is for my house and my needs are as follows:
- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces
- Add IoTs to a dedicated LAN
- Not allow IoTs to get on Guest LAN
What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?
I am not a network professional and will appreciate any pointers if there are better ways of doing above things.
Updated by Pankaj Mathur 11 months ago
Just wanted to post a closure as other non-networking folks may get the same idea!
I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with VLAN. Totally understand (now) what you said in your comment above.
Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.
Have a great 2021!