can mac address filtering be done from the internet?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
can mac address filtering be done from the internet?
Hi folks!
I'm just curious. I have a working vpn setup right now. What bothers me is that there might be time that a vpn client will be compromised. So as a precaution with the help of firewall using iptables, for example I will just allow all those mac addresses that are supposed to be allowed and block those which are not in my list. So if I have "false client" which got it's keys from a compromised vpn client even if it succeeds on the vpn authentication but still will be useless because no traffic can be done because of course the mac address is not one of the allowed lists.(but of course i'm not discounting the possibility that the mac address will be spoofed too..) But now I just want a clear view if mac address filtering can be done in this situation..
mac addresses are for layer2 communications, i.e. in a single subnet. there may be vendor proprietary extensions to permit filtering of that is wholly arbitrary data at the layer3 vpn stage, but as standard, it just doesn't really make "sense". proper cryptography with certificates and such is a much much better approach.
Ok.. I'm there! So what would be the best solution for my problem? As I just want to bind certain vpn certificates/keys to the right machine. So that even if those keys were stolen it will be of no use anymore..
The only Mac address that you will see for a session initiated from outside your Lan Is that of the Gateway router.
In normal TCP communication you would never see the mac address of the remote machine.That source mac address would be stripped off when the packet is marshalled to be sent over the internet .
the source/destination macs are then used to get the packet from one router hop to the next, and then once its at the destination subnet from the remote gateway router to the destination client.
So in short you can only rely on Mac filtering for devices on a Local subnet.
This is the long version to what mr kewpie has said already
:0)
Thank you all for the clarifications. So even if you're operating under VPN you really cannot trace mac addresses?
Pardon me people but I have read something like when you are on bridged type of VPN(that means clients were given IPs the same as the local subnet), even on this situation you can't track the mac address? I also have found something in the internet that points out how to block vpn clients thru their mac address I just forgot the url but I'll post it here as soon as I find it. I need more clarifications coz I'm confused if it's really
possible because if it is then I would switched to bridged vpn.
well implicitly if it is a bridge then yes you can, but that's not the normal way a VPN would operate, and it's not really even a VPN thing. if it's a bridge, then it's layer2, and as described above is effectively still a single subnet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.