15.6. Does m0n0wall support MAC address filtering?

Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

Long answer: There are several "hacks" you may be able to use to achieve the desired end result.


There is no bulletproof method of access control by MAC address. Keep in mind that MAC addresses are easy to change and spoof.

15.6.1. Using Captive Portal and MAC pass-through

You can utilize Captive Portal and its MAC pass-through functionality for rudimentary MAC address restrictions.

  1. Enable Captive Portal on the desired interface (e.g. LAN) at the Services -> Captive Portal screen. Create a HTML page of your liking that does not include the submit button so the user cannot authenticate with the captive portal. Other settings can all be left at their defaults.

  2. Click the "Pass-through MAC" tab on the Captive Portal screen. Click the + to start adding permitted MAC addresses. In the MAC address box, type in the six hex octets separated by colons (e.g. ab:cd:ef:12:34:56), optionally (but recommended) enter a description, and click Save. Repeat for every authorized host on your network.

15.6.2. Using DHCP reservations and firewall rules

First, set up your DHCP scope. At the bottom of the Services -> DHCP screen, add every authorized MAC address on your network, and check the "Deny unknown clients" box. This will prevent an unauthorized machine from getting an IP address from DHCP.

15.6.3. Using Static ARP

You can ensure certain MAC addresses can only use a certain IP by using static ARP.

To add a static ARP entry, use /exec.php to run the arp command.

arp -s ab:cd:ef:12:34:56

To verify this addition, run 'arp -a' in exec.php and you'll see the following in the list.

? ( at ab:cd:ef:12:34:56 on sis2 [ethernet]

This change will not survive a reboot. You need to put the arp -s command in your config.xml in <shellcmd>. See this FAQ entry for more information on hidden config.xml options


An unauthorized user with a clue will be able to get around this second method more easily than the first method by just assigning a static IP address that isn't in use. Either method is easy enough to get around for a user with a decent amount of knowledge.