how to block mac after routed?
 

Hello.

I think I read something somewhere but, can't remember if is true. Once a packet passes through a router the sender's mac address can't be known. Is that true?

Can I do this:

internet ----- debian router/fw (box1) ------ debian router/fw 2 (box2) ----- LAN

I would like to do is serve a to anyone on the LAN from box2, then if someone wants to go out to the internet block it based on MAC on box1. Why not block it on box2 you may ask? Well, I have a long script blocking all sort of ports and other stuff on box2. If I insert some mac filtering at the end or at the beginning of the script then, either the packets will not traverse through the entire script or it would allow access to the department or users I don't want to access the internet.

So, can I really block traffic based on mac address on box1?

Thanks in advanced for your help.

your fears are right, it's impossible. a mac address and the internet are real odd bed fellows. if you want to block macs then you should surely want to stop ALL access, and that'd be best served by 802.1x authentication on the local switch. Most requests for this here are about not wanting to implement user based authentication, which is always preferable, if more complex (well.. it's possible for one!)

If you map your MAC addresses to specific IP addresses then you can block based on IP address unless box 2 is also a NAT machine. I would expect that you would put NAT on box 1.

Even if you use DHCP for your LAN you can map any hardware address to a permanent IP address on the DHCP server. I do this all the time when I want to have a specific IP address on a machine but I also want to enjoy the auto configuring benefits of DHCP.