Add an option to block private/random MAC addresses

[wytchmaster]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I want to block users from using private/random MAC addresses. Firewall aliases need 3 words of the MAC at minimum to match a partial MAC address. To block private MAC addresses we need only the first word of the MAC address to match.

Describe the solution you like
Allow MAC addresses with only the first word of the MAC address in MAC aliases or with DHCP

Describe alternatives you considered

There is an option to block private MACs on DHCP-level but that only works for ipv4 and only if one wants to block private MACs in all subnets. In pfsense and other products this is possibly at least on with the DHCPv4 Server. But it would make more sense to block traffic on firewall level as it should work with ipv4 and ipv6.

I know that filtering by MAC address is not secure but it would stop ordinary users from using private mac addresses. In a private/company network one wants to know which devices are connected.

[fichtner]

While FreeBSD has gained separate Ethernet based rules these days “pf” is still a layer 3 firewall and integration needs to be considered on a popular request basis. So your ticket is a start, yet we still have some time to go to see if this makes sense in the product given the work it will create for development and/or if this makes sense on a strategic project level.

Cheers,
Franco

[wytchmaster]

Thanks for the fast answer ;-)

Maybe it's possible to start with DHCP blocking those MAC addresses. It's possible to block all private MACs if adding a .conf-file in /usr/local/etc/dhcpd.opnsense.d with the following content:

class "randommac" {
    match substring (hardware, 1, 1);
    ignore;
}
subclass "randommac" 02;  
subclass "randommac" 12;
subclass "randommac" 22;
subclass "randommac" 32; 
subclass "randommac" 42;
subclass "randommac" 52;
subclass "randommac" 62;
subclass "randommac" 72;
subclass "randommac" 82;
subclass "randommac" 92;
subclass "randommac" A2;
subclass "randommac" B2;
subclass "randommac" C2;
subclass "randommac" D2;
subclass "randommac" E2;
subclass "randommac" F2;
subclass "randommac" 06;
subclass "randommac" 16;
subclass "randommac" 26;
subclass "randommac" 36;
subclass "randommac" 46;
subclass "randommac" 56;
subclass "randommac" 66;
subclass "randommac" 76;
subclass "randommac" 86;
subclass "randommac" 96;
subclass "randommac" A6;
subclass "randommac" B6;
subclass "randommac" C6;
subclass "randommac" D6;
subclass "randommac" E6;
subclass "randommac" F6;
subclass "randommac" 0A;
subclass "randommac" 1A;
subclass "randommac" 2A;
subclass "randommac" 3A;
subclass "randommac" 4A;
subclass "randommac" 5A;
subclass "randommac" 6A;
subclass "randommac" 7A;
subclass "randommac" 8A;
subclass "randommac" 9A;
subclass "randommac" AA;
subclass "randommac" BA;
subclass "randommac" CA;
subclass "randommac" DA;
subclass "randommac" EA;
subclass "randommac" FA;
subclass "randommac" 0E;
subclass "randommac" 1E;
subclass "randommac" 2E;
subclass "randommac" 3E;
subclass "randommac" 4E;
subclass "randommac" 5E;
subclass "randommac" 6E;
subclass "randommac" 7E;
subclass "randommac" 8E;
subclass "randommac" 9E;
subclass "randommac" AE;
subclass "randommac" BE;
subclass "randommac" CE;
subclass "randommac" DE;
subclass "randommac" EE;
subclass "randommac" FE;

But his goes to the global scope. Maybe it can be put in the network scope, so we can use per subnet/interface. And yes, I know ISC DHCP is deprecated, but maybe there's an option for KEA, too. This would help in IPv4 only environments and should not be a to large problem to implement, I hope ;-)

[sightkick]

This would be great to implement!