Security with dhcp and MAC addr

srs · Apr 13, 2007, 2:03 AM

Hey guys! I hope you can be fine.

One more time I'd like to say how pfsense is a fantastic network router/set of tools and congratulate every one of the developers for their work.

Here is my question:

In one phisical network I gotta have two routers (pfsense sure), with different squid rules and wans… This way I would like: to use dhcp server; for this to work, in the same network, each dhcp server should deliver ip addresses only for a particular list of MAC addrs. ok?
this way computer from network A (with it's specific rules) will never got from dhcp an ip address from network B;

Here comes the questions:
a) this mac addresses list should be in DHCP server? is there any other way of configuring it?
b) the big trouble of this solution is the possibilitie that a user from network A set up manually an ip address from network B and grand it's privilegies... is there a way of blocking mac addresses in order to that NIC only works in that network??
c) all this can be done with pfsense?? can you give-me an overview of how can that be done?
thanks again

srs

GruensFroeschli · Apr 13, 2007, 5:32 AM

2 DHCP on same Physical Network == BAD

I dont know if that's possible but maybe with some hacking you could bypass the check if the IPs that are being assigned are withing the range of your LAN-NIC.

srs · Apr 15, 2007, 9:00 PM

Yes I'm really worried about having two dhcps on the same phisical network, but it seems I have no option since I need to separate these two networks that will use different rules for internet access… ???

for now I really would like to know if can I assign a mac number in my dhcp server in order that one ip number may be released only for that MAC... in pfsense can I do that?

thanks a lot and I accept suggestions for this config ;D

srs

hoba · Apr 15, 2007, 10:28 PM

Add all the macs you need to the list at the bottom of the dhcp server page. Then enable "deny unknonw clients" and "static arp". Now only the listed clients should get an IP from this dhcp server and static arp should take care that only the listed macs are allowed to talk to the pfSense.

srs · Apr 29, 2007, 1:15 AM

that's great hoba, but can I ask you one more question??

Can I have in the same dhcp server more than one network range or subnet??

I mean the same dhcp server broadcast ip's for two subnets, something like that:

subnet 10.0.0.0 netmask 255.0.0.0 {
range 10.0.0.1 10.0.0.100;
option subnet-mask 255.0.0.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.200;
option domain-name "my-domain.org";
option domain-name-servers 200.x.x.x;

subnet 10.0.0.0 netmask 255.0.0.0 {
range 10.0.0.101 10.0.0.190;
option subnet-mask 255.0.0.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.201;
option domain-name "my-domain.org";
option domain-name-servers 200.x.x.x;

In this case I keep using the solution you gave me back, broadcasting specific ip's for specific MACs in order to allow each computer only use it's specific network, but the difference from my first question is that now I do not have two dhcp servers in the same phisical network, but only one broadcasting two ranges of networks for all the computers…

still in this case I will have two pfsense servers, 10.0.0.200 and 10.0.0.201, but 201 will not use dhcp server, but will have different configurations for it's clients.

How about??

thanks a lot one more time!

;)

srs · May 2, 2007, 1:17 AM

someone please ;D

hoba · May 2, 2007, 6:07 AM

The pfSense DHCP-Server supports only one IP-Range and clientconfiguration per interface currently. What you try to do is not doable with only using pfSense as DHCP-Server.

sai · May 8, 2007, 5:04 PM

use a dedicated machine as DHCP server. Having 2 dhcp servers is the way to madness.