https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162020-11-29T19:26:05ZpfSense bugtrackerpfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=497402020-11-29T19:26:05ZA FL
<ul></ul><p>I've read the gdoc..but i would propose to reject this issue</p>
<blockquote>
<p>But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.</p>
</blockquote>
<p>DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.</p>
<p>If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.</p>
<p>Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)</p> pfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=497432020-11-29T23:10:25ZPankaj Mathur
<ul><li><strong>File</strong> <a href="/attachments/3263">MAC_Deny_Textbox.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3263/MAC_Deny_Textbox.png">MAC_Deny_Textbox.png</a> added</li></ul> pfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=497442020-11-30T07:43:41ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>If you need to deny that many MACs from DHCP you've got an L2 or design issue, not a GUI problem.</p> pfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=497692020-11-30T10:09:54ZPankaj Mathur
<ul></ul><p>Hi Jim,</p>
<p>This network is for my house and my needs are as follows:<br />- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces<br />- Add IoTs to a dedicated LAN<br />- Not allow IoTs to get on Guest LAN</p>
<p>What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?<br />I am not a network professional and will appreciate any pointers if there are better ways of doing above things.</p>
<p>Regards.</p> pfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=497702020-11-30T10:14:13ZJim Pingle
<ul></ul><p>Post on the forum. This is not a site for that kind of discussion.</p> pfSense - Bug #11115: Pfsense MAC Control Feature Requesthttps://redmine.pfsense.org/issues/11115?journal_id=501212020-12-31T22:20:46ZPankaj Mathur
<ul></ul><p>Hi Jim,</p>
<p>Just wanted to post a closure as other non-networking folks may get the same idea!</p>
<p>I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with <abbr title="s">VLAN</abbr>. Totally understand (now) what you said in your comment above.</p>
<p>Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.</p>
<p>Have a great 2021!</p>
<p>Regards.</p>