Bug #11115: Pfsense MAC Control Feature Request - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #11115

closed

Pfsense MAC Control Feature Request

Added by Pankaj Mathur over 3 years ago. Updated over 3 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Aliases / Tables

Target version:

Start date:

11/29/2020

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

Affected Architecture:

Description

This is an actual problem that I am facing while working on home automation project.

Here is a descriptive write up of the request - https://docs.google.com/document/d/1AYLpF1sJ5bbJf6V3U-plH16xlzOJUW-PdBGdBxxT8r0/edit?usp=sharing

Feel free to use or discard details as pfSense team sees fit.

Files

MAC_Deny_Textbox.png (15.7 KB) MAC_Deny_Textbox.png

Actual MAC Deny text box in UI

Pankaj Mathur, 11/29/2020 10:40 PM

History
Notes
Property changes

Actions

Copy link

Updated by A FL over 3 years ago

I've read the gdoc..but i would propose to reject this issue

But the challenge is that [...] there is an option for a client from any of the LANs to secure a DHCP lease on LAN-Guest and thereby circumvent firewall rules specific to the assigned LAN.

DHCP protocol cannot be routed from one LAN to another (the protocol is internally using the broadcast address of the LAN it is enabled on, which makes it non-routable. That's why you have a "DHCP relay" feature on pfSense), and in general, it is not possible for one client to bypass the firewall rules specific to its assigned LAN.

If you are indeed having multiple LAN and if each LAN is correctly separated from each other (there's no point to have multiple LANs if they are connected to the same switch...unless you are having vLANs tagging enabled on the switch), then what you describe is not possible.

Also, the feature you are asking for already exists : It's part of the captive portal, there's a more conveninent "Allowed/Denied MAC" option avaliable there (Be aware that the captive portal got significanly upgraded in the future 2.5 version)

Actions

Copy link

Updated by Pankaj Mathur over 3 years ago

File MAC_Deny_Textbox.png MAC_Deny_Textbox.png added

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Status changed from New to Rejected

If you need to deny that many MACs from DHCP you've got an L2 or design issue, not a GUI problem.

Actions

Copy link

Updated by Pankaj Mathur over 3 years ago

Hi Jim,

This network is for my house and my needs are as follows:
- Add 25+ IoTs that have a total of about 35 MAC addresses as few devices have wired and wireless interfaces
- Add IoTs to a dedicated LAN
- Not allow IoTs to get on Guest LAN

What other designs do you think I should research (besides adding all 35+ MAC addresses to the MAC Deny list of Guest LAN, for such topology?
I am not a network professional and will appreciate any pointers if there are better ways of doing above things.

Regards.

Actions

Copy link

Updated by Jim Pingle over 3 years ago

Post on the forum. This is not a site for that kind of discussion.

Actions

Copy link

Updated by Pankaj Mathur over 3 years ago

Hi Jim,

Just wanted to post a closure as other non-networking folks may get the same idea!

I invested some time in learning about layer-2 & layer-3 switches and also tried hands on tests with VLAN. Totally understand (now) what you said in your comment above.

Thanks for putting me in the right direction, I came out more knowledgeable about networking concepts and hopefully security.

Have a great 2021!

Regards.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #11115

Pfsense MAC Control Feature Request

Updated by A FL over 3 years ago

Updated by Pankaj Mathur over 3 years ago

Updated by Jim Pingle over 3 years ago

Updated by Pankaj Mathur over 3 years ago

Updated by Jim Pingle over 3 years ago

Updated by Pankaj Mathur over 3 years ago