On 6/6/2011 9:30 AM, Luke Jaeger wrote: > I run a school network where students and teachers sometimes bring in > personal laptops. > > Is there a way to filter these by MAC address so that teachers get > access to certain resources (such as printing) and students don't? > Or do I have to set up a separate wireless network for teachers only?
About the best you can do there would be, as someone else mentioned, to assign them into a certain range of addresses based on their MAC. However both the MAC and IP address are easy for anyone to change, especially someone motivated to get increased network access. Like someone who is just dying to get on Facebook because they haven't checked it in the last 7 minutes. :-) Separating the different access classes by interface is best, that interface can be a physical interface/switch, VLAN, SSID (also mentioned elsewhere in replies), and so on. Another option that may work better would be to run a VPN server on that interface, such as OpenVPN. The teachers would have a VPN client on their laptop that they can use to connect and then route through that to get increased access. You could also do this with IPsec or other VPN types, but OpenVPN for me has the best track record for working properly and doing what is expected. That last method is the only way I would recommend having multiple levels of access on a single network. Anything else would be too easily spoofed. Jim --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
