PfSense, how to block one MAC address from accessing the Internet

Fritz

Well-Known Member
Apr 6, 2015
2,423
645
113
67
Been fighting with this all morning and I'm getting nowhere. Said PC can still access the Internet.

Using Captive Portal I've told it to block said MAK from Internet. Got no errors, got no joy.

Google is useless as usual. Results make no distinction between PfSense and other devices. I did find some long out of date info that no longer applies to the current version.

Any help mucho appreciated.
 

MBastian

Active Member
Jul 17, 2016
148
36
28
Düsseldorf, Germany
In case you just want to prohibit that PC accessing the Internet instead of shuting it out from your LAN:
If you can set a static IP for that MAC address you can just set a "no NAT" rule under Firewall -> NAT -> Outbound. I do that a lot when I want to make 100% certain devices or VMs can't access the internet if their VPN tunnel is down.

Either would not help if there is malicious intent involved. Changing a MAC address is easy. DE:AD:BE:EF:01:02 anyone?
 
Last edited:

Fritz

Well-Known Member
Apr 6, 2015
2,423
645
113
67
This is my HTPC. The malicious intent is Microsoft Telemetry. I figure I have to stop it via MAC address because no doubt it can call home during the boot up process.
 

RTM

Well-Known Member
Jan 26, 2014
755
274
63
Perhaps a better solution to your problem, would be to put the HTPC on a separate VLAN (or physical interface on the firewall) where you configure the firewall rules to not allow internet access and perhaps reach your NAS or whatever it needs (since it is on your network, I assume it needs something).

That way it will not have internet access even if it changes its MAC address and/or configures a static IP.
Essentially it will limit access based on physical connectivity
 

Fritz

Well-Known Member
Apr 6, 2015
2,423
645
113
67
I've never messed with VLAN's because I have several switches in use. I could, however, plug the HTPC directly into the PfSense box.

Just can't figure out what the hell PfSense needs to block a single Mac address from the Internet. This should be simple but it's anything but. :mad:
 

Marsh

Moderator
May 12, 2013
2,471
1,293
113
If you don not want this pc to have internet access , remove default gateway.
or use a bogus ( blackhole ) IP address as your default gateway.
 
  • Like
Reactions: RTM and Angus

Fritz

Well-Known Member
Apr 6, 2015
2,423
645
113
67
If you don not want this pc to have internet access , remove default gateway.
or use a bogus ( blackhole ) IP address as your default gateway.
Nope, It can still phone home during boot up.
 

Mwilliamson

New Member
Aug 15, 2020
16
5
3
Fenton, Michigan, USA
* Disclaimer - No PfSense experience, just general network design experience *

You could try creating a static DHCP entry for the device, and then creating and applying an Access Control List (ACL, or whatever PfSense's equivalent is) that states the HTPC's IP address can access your subnets, and then explicitly denies access to any other subnets (the internet) that do not match. If you need to be really thorough, you could also apply an ACL on your egress that explicitly denies the HTPC's IP address access to exterior networks.

The essence here is you whitelist specific networks for the device to access, and then make sure the device is only ever assigned a particular IP address to enforce it. The static DHCP reservation will catch any request for an address on boot up (assuming it doesn't use random MAC addresses of course), assign it your specific IP address, and the ACL will deny any traffic from it not going to your local networks.

I apologize that I can't offer specific steps to follow, but I hope that points you in a useful direction.
 
  • Like
Reactions: MBastian

MBastian

Active Member
Jul 17, 2016
148
36
28
Düsseldorf, Germany
This is my HTPC. The malicious intent is Microsoft Telemetry. I figure I have to stop it via MAC address because no doubt it can call home during the boot up process.
Unless it's ignoring the DHCP offer and actively searches for another free IP in the advertised network (or faking it's MAC for that purpose) to send it's telemetry data I can't see that happening if you have firewall rules in place. I really doubt that Microsoft would touch such a grey area. Ignoring it's own configuration like /etc/hosts or network gateway is one thing, actively messing with a local network is quite another. Anyway, such a behaviour should be easily recognizable.

The static DHCP reservation will catch any request for an address on boot up (assuming it doesn't use random MAC addresses of course), assign it your specific IP address, and the ACL will deny any traffic from it not going to your local networks.
Essentially what I also wrote. In the end Windows will need an active connection on your network to "call home".
If you're paranoid you could also set a static IP on the host, pin the MAC to the same IP in your DHCP server and modify your local DNS cache to override the microsoft telemetry entries. Even more paranoid would be to only allow whitelisted MAC addresses to get an IP from your DHCP server.
 
Last edited:

RTM

Well-Known Member
Jan 26, 2014
755
274
63
The simplest suggestion as far as I see it, is the one from Marsh - as far as I can see it should work just fine.
It reasonably depends on you trusting your computer to not configure a default gateway on boot (seems very unlikely), much like you are trusting it to not set a different MAC address or setting a static IP address.

If you are saying you do not trust your system like this, you essentially have to something along the lines of what I suggested, as it ensures that it will not be able to access the internet, regardless if the system configures a different MAC address or sets a static IP.