Inexpensive switch Mac filtering

Hello all! My question I want to wire up a few outdoor items to my Ethernet. My question how do I prevent someone from just plugging their laptop into my cable?

I was wondering is their an inexpensive switch someone knows about with a filter for the Mac by port? Basically only my outdoor ap or camera would function anything else would not.

Curious how you have solved the problem and/or if you know of such a switch.

I had considered that for a while on my external cameras!

My approach was to put them on their own vlan, heavily locked down, only email notifications leaving the WAN, add 801.2x for ethernet (had it already on my wifi did not realise it could be used for ethernet connections too),so a username and password is required for that connection.

You’ll just need a vlan capable switch and FreeRadius, it’s on PfSense for me.

There were “other-things” my Netgear manual suggested on a port basis, but I found the above approach easier. However, your camera has to support 802.1x .

1 Like

I’m not sure if pfsense has this feature, but for example draytek, has an option called strict bind IP to MAC, so if you plug something into the network it doesn’t get an IP until you login and assign it one based on its MAC address. You can assign this option to just parts of your network , it doesn’t have to be all.

It’s not as secure as 802.1x but if you aren’t worried about someone going as far as finding a camera MAC and cloning it , it may be a good idea.

1 Like

I would look at a used Cisco Catalyst 2960 or any Catalyst switch really. You can use what they call sticky mac and also set a port to shutdown should a different mac address appear on that port. You should be able to find one between $100-$200.

1 Like

@neogrid @FredFerrell @anon31769429 thanks for all the feedback will do some research on the ideas you have given me.

As of now the outdoor cables are on their own subnet (vlan). So I do plan to isolate that from the rest of my network via firewall rules. But I like the option of a second layer if possible.

How many ports do you need, and do you need PoE? And if PoE, what flavor?

If you only need a 5 port switch without PoE, the MikroTik CSS106-5S-1G may be good enough. I have 2 and they were under $40 each new when I bought them. But they have a “unique” configuration method. Not anything like Cisco. GUI only. No https, just http but you can limit access to the management plane by port or vlan. They are pretty flexible in the capabilities they have.

The MikroTik CSS106-5S-1G has the ability to disable MAC learning (the Port Lock feature in the Forwarding section). You then have to define static hosts or use the lock on first feature, and be the first device plugged into the port. Be aware that some devices spoof multiple MACs, so you may still need to use the static mac feature. If you get the CSS106, you can port mirror and capture data watch traffic on the port while you reboot, cycle power, unplug replug, etc. to see if it is using more than a single MAC address. Then you can lock it. You could also look at the MAC address table (which is displayed under the “host” tab.

1 Like

Thanks that’s a good one the microtik.

I would love to have Poe but I have the injectors already they came with the equipment I am setting up. Only need two possibly 3 ports. It is for my house.

I am eying the flex mini switch trying to read up if it does support the Mac filter on ports.
I am not overly worried about Mac spoofing mainly trying to have a layer of security so that any old joe can just plug up.
I plan on securing the vlan also as it is for running my Christmas light show. It does not need internet access, I just need one line in for setup and config from my primary laptop. It would not even be difficult if I just turn it on when I need it. But it’s comfort to know that i have a second layer of Mac filter. I am also out of port on my primary switch.

It may actually be funny if they do as I have passive Poe on the port they may smoke something… lol