Ethernet (Layer 2) Rules

pfSense® Plus software versions 23.05 and later include support for rule-based pass/block filtering of packets based on Ethernet (Layer 2) header attributes. These are known as Ethernet Rules.

Processing of these rules is not enabled by default and can be togged under System > Advanced, Firewall & NAT tab.

When enabled, Ethernet rules are managed at Firewall > Rules, Ethernet tab.

Ethernet Rules Overview

Layer 2 Interfaces

Ethernet rules are capable of operating on Layer 2 (L2) header information which is not visible to traditional firewall rules. To accomplish this, Ethernet rules operate at Layer 2 (L2) and are only processed on interfaces which carry L2 data.

Traditional Ethernet and VLAN interfaces will work, but certain types of VPN and tunneling interfaces will not. For example, OpenVPN in TAP mode can carry L2 information, while IPsec, WireGuard, and OpenVPN in TUN mode cannot.

As a general rule, if an interface has a MAC address, then it is capable of carrying L2 data.

Warning

The firewall will not generate an error if the user attempts to apply an Ethernet rule on an interface which is not capable of L2. These rules can never be matched as a non-L2 interface is not capable of triggering Ethernet rules.

Captive Portal

Captive Portal uses Ethernet rules behind the scenes to pass users through the portal. This works no matter what the current state of the Ethernet rules option is as these rules are managed automatically and not via the Ethernet tab.

Warning

Be careful adding manual Ethernet rules to interfaces involved in Captive Portal. Manual Ethernet rules are processed before Captive Portal rules, so there is a potential for interference.

Stateless

Ethernet rules do not keep state. As such, while block rules can work on their own, when making exceptions to blocks it is best to add rules in pairs to cover both the inbound and outbound direction, with the source and destination values on the rule reversed for the opposing direction.

Default Behavior

When Ethernet rules are inactive, all L2 traffic (other than Captive Portal) is passed by default so it can then be processed at L3 by regular rules. This does not affect the behavior of L3 rules. Traffic is still blocked there by default as usual.

When Ethernet rules are active there is no automatic hidden rule to block Ethernet traffic by default. This preserves the existing behavior and makes it less prone to be easily broken.

If an administrator wants to block all L2 traffic by default, they can first craft a ruleset with appropriate pass rules and then follow that with a rule to block any other Ethernet traffic. As the potential for mistakes and disruption is extremely high, this is not considered a best practice at this time.

Aliases

Ethernet rules can use Aliases for L3 source/destination matching but there is no support for MAC Address aliases at this time.

Enabling Ethernet Rules

To enable Ethernet rules:

  • Navigate to System > Advanced, Firewall & NAT tab

  • Locate the Advanced Options section

  • Check Enable Ethernet Filtering

  • Click Save

Managing Ethernet Rules

To manage Ethernet rules, navigate to Firewall > Rules, Ethernet tab. From there, rules are managed using the list view similar to other rules.

Note

The Ethernet tab only appears while the Ethernet Rules function is enabled. If the tab is not visible, enable Ethernet Rules.

Configuring Ethernet Rules

When editing an Ethernet rule the available options are similar to those found on firewall rules and floating rules with the following differences:

Protocol:

A protocol specific to layer 2 for which this rule will apply.

ARP

Address Resolution Protocol

IPv4

IPv4 traffic

IPv6

IPv6 traffic

IEEE 802.1X

Network authentication traffic

VLAN (C-Tag)

Customer VLAN tag (e.g. first level)

VLAN (S-Tag)

Service VLAN tag (e.g. second level, double tagged)

Other

A protocol not listed in the drop-down, set manually in Protocol Value.

Protocol Value

To specify a protocol not in the list, enter its 16-bit hexadecimal EtherType (e.g. 0xffff).

Source/Destination:

Though Ethernet rules operate at L2, they can still act on the contents of the L3 source/destination (e.g. IPv4 or IPv6 addresses) in a packet using these fields.

Note

When setting a Protocol in addition to a Source or Destination, ensure the protocol matches the addess family of the source/destination. For example, when using an IPv4 address in Source, either set the Protocol to IPv4 or Any.

MAC Filtering:

Match a packet based on the L2 Source MAC Address or Destination MAC Address.

This option is in the Advanced Options section of the page.

Bridge To:

When set, packets matching this rule will be sent out of the chosen interface without further processing. This can be used to send certain L2 packets out another interface, bypassing L3 rules (e.g. 802.1X authentication from an ISP).

This option is in the Advanced Options section of the page.

Package Support

There is a plugin hook available for packages to add their own Ethernet rules.

In the package metadata, define a filter rule callback:

<filter_rules_needed>package_rules</filter_rules_needed>

And then in the package PHP include file, add a function which returns the rules:

function package_rules($ruletype) {
     if ($ruletype === 'ether') {
             return '# add an ether rule' . PHP_EOL;
     }
}