Different Firewall rules for specific wireless users

qwaven

Hey all,

Wondering if anyone has any options for me? :) I'm running PFSense 2.0.3 (plan to update to 2.1 at some point, not sure if that would matter for this)

I have a firewall w/ NAT enabled and a few interfaces devoted to different networks. For the main wired lan and wireless lan by default I block any communication between them. I have a few wireless hosts that I would like to allow through to the wired lan.

I realize I can create DHCP leases and statically assign an IP to allow through the firewall. To me this is risky as anyone could therectically manually set their IP to the "special" IP and gain access through.

MAC filtering seems a bit more secure to me, however I have not found any way of adding a firewall rule to filter based on MAC address.

So anyone have any suggestions for allowing a few hosts through, while still maintaining a user friendly approach?

Thanks for your help!

Cheers :)

johnpoz

"MAC filtering seems a bit more secure to me"

And why can they not change there mac – can be changed just like an IP can..

If your really paranoid - setup staticarp.  Or install the ipguard package http://ipguard.deep.perm.ru/

qwaven

@johnpoz:

"MAC filtering seems a bit more secure to me"

And why can they not change there mac – can be changed just like an IP can..

Thanks for your response. Yes It's true MAC addresses can be changed. However its far easier to guess an IP address over a MAC address. "…a bit more secure to me"

The solutions you listed seem to rely on knowing all devices on the network in order to populate static arp...etc. I'm looking for something a little less administratively intense. :)

If Static Arp were able to be used just to map particular IP-MAC combo's than I believe it would be ok but as I understand when enabled it will deny anything not listed in the static arp table.

 Note: Only the machines listed below will be able to communicate with the firewall on this NIC.  

Thanks!

johnpoz

And when are they guessing these IPs?  Are these IPs that have access not online when the users that are going guess the ones that have access thru the firewall?

Who are these users that are setting static IPs on their computer?  Are these just random public users?  Or is this a place of work? home?  What makes up the wireless population of users?  Have you talked to users?  99% of them don't know what an IP is - but your worried they are going to "guess" the ones that are open to your wired network.

And then the ones smart enough to figure out what IP addresses are allowed through - those would be the ones that would also be smart enough to know how to change their macs ;)

What is it your allowing these boxes to access once they guess the correct IP the firewall allows..  Won't they also need to know what dst IP and service that is allowed? Or are you opening up these IPs to any any to your wired network?

Are these resources on the wired network not secured by auth as well?

qwaven

Hi Johnpoz,

And when are they guessing these IPs?  Are these IPs that have access not online when the users that are going guess the ones that have access thru the firewall?

They could or could not be online, not sure it really matters.

Who are these users that are setting static IPs on their computer? …

They are members of the wireless network, or possibly someone who has gained access without authorization. The latter being of more concern.

And then the ones smart enough to figure out what IP addresses are allowed through - those would be the ones that would also be smart enough to know how to change their macs

Not necessarily, however lets assume its a class C address block, 254 Usable IPs. Far easier to scan or whatever 254 IP's than guess a particular 48-bit MAC address from some 281,474,976,710,656 possibilities.

What is it your allowing these boxes to access once they guess the correct IP the firewall allows..  Won't they also need to know what dst IP and service that is allowed? Or are you opening up these IPs to any any to your wired network?

Are these resources on the wired network not secured by auth as well?

The destinations and sources are still restricted by standard policies.

Anyway if its not possible to do anything more restrictive than IP based policy so be it.  I've toyed with the idea of having a separate vlan w/ static arp as suggested or implementing an internal remote access vpn between networks.

Thanks for your help.