Feature Request: Firewall by mac address

[fukawi2]

It would be useful to be able to create firewall rules based on source mac address, similar to netfilter:

-A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

There seem to have been several queries for this feature in the past (below), but my specific use case is for a dual-stacked network. Without being able to firewall by mac, I have to do this instead:

1. Create a static IPv4 DHCP lease.
2. Create a static IPv6 DHCP lease.
3. Create an Alias for both of the above static leases.
4. Create firewall rule using the Alias in step 3.

(Alternatively steps 3+4 could be create a separate IPv4 and IPv6 firewall rules instead of using an Alias, but it's still 2 steps)

If I could create rules by mac address, then I can consolidate all 4 steps into a single firewall rule.

The general suggestion seems to be to use the Captive Portal as a workaround, but this doesn't let me firewall by port/destination etc as well (eg, allow mac 45:23:54:31:43:12 port 22 destination address 192.0.2.123). I can either grant full access to a mac address or block it in full.

My understanding is that pf is not capable of handling Layer 2 traffic, but ipfw is which is already in OPNsense for the Captive Portal + Traffic Shaping functions.

I'm not overly familiar with BSD (hence I'm using OPNsense!) so I don't know exactly how complex this feature would be to create.

Previous queries for same/similar feature: https://forum.opnsense.org/index.php?topic=7474.0 https://forum.opnsense.org/index.php?topic=2790.0 https://forum.opnsense.org/index.php?topic=5525.0

[AdSchellevis]

Yes, pf is used for our firewall and doesn't support mac address filtering indeed, although ipfw in our case doesn't use mac addresses either (it uses the system arp table and keeps track of changes).

Mac addresses are quite easy to spoof, which often creates a false sense of security when provided in firewall rules.

In combination with bridging there is an option to tag frames, although that likely would only work for a limited set of rules. (for example https://serverfault.com/questions/674480/how-to-block-mac-address-in-pf-firewall)

Long story short, I don't expect the option will enter our product.

[fukawi2]

Thanks for your quick reply. Yes, spoofing mac addresses is a thing, but for most use cases it is sufficient. For example, I'm just trying to make sure my TV and printer don't start talking somewhere they shouldn't, while letting my mobile phone and desktop PC be a lot more free to establish connections. I don't expect my TV or printer to start spoofing it's mac address to bypass my firewall (although maybe one day that will be a threat vector!).

I trust my users, I don't necessarily trust my devices.

[muchachagrande]

May be it can be accomplished using aliases. A new kind of alias that keeps the translation of a list of MAC addresses to the assigned IP addresses. With every new pair of MAC-IP in the ARP table, the corresponding MAC ALIASES TABLES could be updated. These aliases could be used to filter packets with pf. It's just an idea.

Actually, I use the same method as @fukawi2 described to filter devices on a WiFi VLAN.

[AdSchellevis]

timeout

[fukawi2]

Can we revive this feature please? We've just replaced a Linux firewall internally at my work with an OPNsense cluster. Something we did a lot in the Linux firewall was firewall bypass (allows) by mac address. With a dual-stack IPv4 + IPv6 network, it's farrrr easier to allow (or block) a client on the local network by mac address, compared to:

1. Creating a static IPv4 DHCP lease for the client.
2. Enabling managed IPv6 RA's for the whole Layer 2 network
3. Creating a static IPv6 DHCP lease for the client
4. Using an alias or creating 2 firewall rules to allow/block both IPv4 and IPv6 addresses of the client.

Being able to have a single firewall rule to allow/block the mac address has far less management overhead, and less to go wrong.

[somebody-somewhere-over-the-rainbow]

in the current version of opnsense I am actually able to create a "MAC-Alias" and use it in a firewall rule. COuld anybody tell how this works (i.e. does it translate the MAC into IPs or another way)?

Thanks Alex

[AdSchellevis]

@alexw1982 https://docs.opnsense.org/manual/aliases.html#mac-addresses :)

[somebody-somewhere-over-the-rainbow]

apparently I suck a googling - thanks!