Bug #11115
closed
Pfsense MAC Control Feature Request
0%
Description
This is an actual problem that I am facing while working on home automation project.
Here is a descriptive write up of the request - https://docs.google.com/document/d/1AYLpF1sJ5bbJf6V3U-plH16xlzOJUW-PdBGdBxxT8r0/edit?usp=sharing
Feel free to use or discard details as pfSense team sees fit.
Files
Updated by A FL almost 4 years ago
I've read the gdoc..but i would propose to reject this issue
But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.
DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.
If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.
Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Rejected
If you need to deny that many MACs from DHCP you've got an L2 or design issue, not a GUI problem.
Updated by Pankaj Mathur almost 4 years ago
Hi Jim,
This network is for my house and my needs are as follows:
- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces
- Add IoTs to a dedicated LAN
- Not allow IoTs to get on Guest LAN
What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?
I am not a network professional and will appreciate any pointers if there are better ways of doing above things.
Regards.
Updated by Jim Pingle almost 4 years ago
Post on the forum. This is not a site for that kind of discussion.
Updated by Pankaj Mathur almost 4 years ago
Hi Jim,
Just wanted to post a closure as other non-networking folks may get the same idea!
I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with VLAN. Totally understand (now) what you said in your comment above.
Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.
Have a great 2021!
Regards.