# Limit network access by MAC address?



## mcgee (Oct 20, 2010)

Suppose I'm using an 8.1R box as a gateway (router/dhcp/nat) handling connections from a private network to an uplink.  Is there a simple toolkit I could use to implement layer 2 access control for that private subnet?

I want to provide two kinds of access:

1--For hosts we already know about (by a list of their MAC addresses), they get unrestricted access through the gateway;
2--For hosts we don't know, the only thing they can do is access a web server where the user can enter a password, which causes their MAC address to be added to the list of known hosts and thereby gain full network access;

Of course MACs can be spoofed, but the risk is low enough to ignore in this case.


----------



## aragon (Oct 20, 2010)

ipfw(8) can filter by MAC address.


----------



## Savagedlight (Oct 21, 2010)

Keep in mind MAC addresses are *easy* to spoof.
`# ifconfig interface ether 01:23:45:67:89:01` (I think that's the syntax anyway)


----------

