Question about firewall rules for domain only computers
-
Hi
I was wondering if someone could shed somelight, Currently been looking around though guides how to filter only computers to have internet access, as pfSense has an option about mac filtering, but as we have computers in the domain we want to only allow domain computers to have internet access, i was reading a bit i assume i need to try to implement RADIUS authentication server, but would i install the RADIUS authentication server on pfSense? or on the windows server? to send the info to pfSense? Im also going to assume this would apply all devices including WIFI as there are going to be in the same LANThanks
-
what you have is a domain and you want to filter a pass or block rule which allows only domain computers out to the internet?
What computers in the domain don't belong to the domain?
Am I on the right track?
-
@The-Party-of-Hell-No hi there yeah correct only let domain computers to have internet the rest to deny, but let's say I would want to add an exception I would like to add it though Mac address
-
@killmasta93 It would help to have an answer to my question:
What computers in the domain don't belong to the domain? I am thinking if these devices are assigned IP addresses by your pfSense then they are part of the domain?
If they are devices remote connecting and you don't want them access the internet through the pfsense box a block rule would work blocking all IP's from the remote tunnel.
-
@The-Party-of-Hell-No thanks for the reply, what we want is to prevent users to bring their own computers like Mac books or windows that can connect though cable, to avoid them using the network unwisely
-
@killmasta93
This is going to be timely since pfsense is moving away from ICS DHCP server. DHCP Server - Interface - MAC address Control - would you not enter in the known accepted MAC addresses in the interface, or if just a few violators entered in the blocked MAC addresses?
I assume you do not use static mappings - if you did you could compile a list and create a alias comprised of these IP's and create a block rule on the WAN. In fact what about assigning a static mapping for only the offenders - assuming they are the smaller cohort and then use a alias IP block list? -
@The-Party-of-Hell-No
Thanks for the reply,
Correct dont use static mapping, as we have lots of computers which would be complicated, which is why i thought to user the domain computers as the filter, i was reading a bit about RADIUS but not sure if this would apply
I had a friend that was able to do the same but using sophos firewall to allow only domain computers to have internet -
@killmasta93 How many people are violating the rules? You do not have to assign everyone to a static IP , you could assign the few rule breakers static IP's , create an alias of those IP's and use it to block access. How rampant are the rule breakers?
-
@killmasta93 Once they plug into the network they become part of the domain
-
@The-Party-of-Hell-No what happened is that we found some users bringing computers and connected though WIFI and LAN so we would want only domain joined computers in the domain to be able to use Internet or alteast to give DHCP
-
@killmasta93 would you not agree... if they plug into the network and receive a legitimate IP from the DHCP server they are now part of the domain? If they have not become part of the domain where do they lie in your network. and if they are defined differently how can you identify them as not belonging and block them.
-
@The-Party-of-Hell-No hi there, so after reading a bit it seems that i need to implement RADIUS, when i mean part of a domain meant domain joined computers with AD
-
@killmasta93
The freeRadius server would do this. Any employee sneaking in their personal laptop or tablet would not hookup because of the lack of certificates and access to the FreeRadius server.
The problem with my plan below is to create the static ARP list you have to have employees laptop and tablets network adapter MAC addresses - difficult to get.Before you go forward, from my perspective you are would be using as much labor to implement the FreeRadius server as to use static ARP entries on the DHCP server.
Realistically, how many employees/workers are actually getting on the domain and access the internet inappropriately? It does not make sense to lock down everyone when the culprits are , 10%, 5%. Way easier, in my opinion, to assign a static ARP on your LAN for the few violators, develop an alias from this list and put a block list to the internet from the LAN.
As you catch other employees it is easy enough to add. -
@The-Party-of-Hell-No Yeah it seems that it must be implemented as we have around few 100s computers, my question is whats the recommended setup? running free radius from pfSense? or from windows? would the free radius authenticate for the DHCP?
-
@killmasta93
well freeradius is built in to pfsense, to me it makes sense to take advantage of already existing service. No I think there are two processes the DHCP will hand out an I{P and then the validation via the radius server would follow.