Trying to block device by MAC address in pfSense. No luck

Managing pfSense find out I do not have solution for block a device on one of my networks by its mac address. Only solution i found is to set static ip on the dhcp and later block it by firewall rules, but that way I dont think that is the best solution for me .

Because on my scenario on that network i have couple APs with differents SSID NETWORKS but on same dhcp but this is another issue and trying to figure out.
Wifi is over omada controller but i want pfsense to handle the ip asignation and rules I personally trust it more than omada .

So if I block that device to acces that network then iit doesn’t acces at all and I don’t want that acces a specific SSID on that network

Any suggestions

Thanks in advance

You cannot apply rules in pfSense based on MAC address. You can configure the device in question to use a static IP address or set up a static DHCP binding and then block based on IP address. Or you can prevent the device from connecting to the wireless network altogether by setting up MAC filtering on the WiFi. Either way, you’re merely adding convenience, not security. MAC addresses are easily spoofed.

If you look at the problem the other way and only allow authorised devices onto the network then you can use RADIUS on pfSense to access the network, then it’s easy to revoke access if you need to. RADIUS works well with the omada controller.

1 Like

The paid version of pfSense has “Ethernet Rules” I have been testing these rules for blocking the kids cell phones at night with their MAC addresses being blocked.

When enabled this is what shows up in the Firewall / Rules / Ethernet / Edit in the advanced section of the rule:

No need for screen shots, here is the docs for the Layer 2 rules

https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html

2 Likes

Depending on the phone, it will generate different mac codes - it will not have a static mac code

Another way of controlling one set of users while letting other users to access the internet is to use a schedule.

If you were to dump your children on their own vlan, then you can control access to the WAN with a rule including a schedule but also allow access to the LAN if they needed to for example at the same time. Users on other vlans obviously would be unaffected.

Another benefit would be for that vlan to use a more restrictive DNS provider blocking porn etc.

I was just replying to the OP’s wanting to filter MAC’s. The feature is there. There are many ways to solve their requirements.

Thank to all you guys. That take the time to respond and give some choices bit still on the same page probable did not explained my self well. I will ut it together in the different way for you guys to understand and give me better solutions