They are not all on the same broadcast domain, as Cisco and my other
equipment provides a way for separating user to user traffic without
using vlans. That being said i still get all broadcasts to the pfSense,
as this is the only box all the users can talk to, so yes i do see 1000+
arp entires. The box is strong enough to handle it.
Thanks for clearing up the MAC address and pf.. It makes sense to me
hearing it from the PF developer side, and i'll take a look at using my
core switch for blocking mac's.
Thanks,
Adam
Chris Buechler wrote:
On Fri, Feb 20, 2009 at 3:20 PM, [email protected]
<[email protected]> wrote:
I guess my real goal is that anywhere a IP address can be used in pfSense, a
MAC address could be used also, but the MAC address would simply be replaced
with whatever it's IP is in the arp table. Of course some things like the
LAN IP, ect would not work this way.
ipfw allows filtering by MAC address, and with captive portal (which
uses ipfw) you can achieve certain MAC filtering functions. The
original poster asked about bridging, which doesn't work with CP.
pf doesn't support MAC filtering. I had a discussion on this with
Henning Brauer, one of the primary OpenBSD pf developers, over a 3
digit bar tab in DC at DCBSDCon earlier this month. His stance is it's
stupid to use MAC addresses in your firewall rulesets - that's thewrong place
to control MAC addresses, that either needs to be done on
the switches (or APs if you're using wireless), or using static ARP,
if you really want to go to the trouble. It only applies to
same-subnet hosts so its functionality is limited there as well. It's
a ton of work for essentially no return though, at least not from a
true security perspective, which is how they tend to look at things.
I do see the case for it in some specific scenarios, I'm not dead set
against it as the OpenBSD guys are, but the chances of seeing this
functionality are slim. Options are some nasty hacks tying in ipfw,
which would be limited to pass/block, or some heavy lifting in C to
significantly modify pf. Neither of those are likely to happen.
I work with a very large DHCP network, 1,000+ users. I do not have any control
over the devices connecting, and the devices do not
stay the same. Further more this is a wireless network, so users are roaming
between access points
With 1000+ users I would hope that they're not on the same broadcast
domain, there's a router involved somewhere before they get to the
firewall, which means the host's MAC won't even be available when the
traffic gets to the firewall.
DHCP reservations for hosts that require special treatment is the way to go.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3876 (20090221) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
