Block all IP's that are not from the PFSense DHCP
-
Good Day,
I need help to prevent all IP's to going trough the wan that are in the Lan and the IP is not given by the PFSense DHCP.
DHCP is 192.168.2.1 and gives the range from 192.168.2.100-199.
-
Ok on your lan rule set source to 192.168.2.100-199, there you go.
If the range you want to allow does not fall neatly into a /cidr then create an alias and put in your range. Then use that alias as your source for your lan rule.
-
Ok thank you, that works. But when I try to setup an IP manual with in that ip range… it can access the internet :( but ohly that pc that gets an ip from the dhcp should be allowed.
-
How do you think the firewall is suppose to tell if the client got his IP via dhcp or static?
If you want to lock it down that much, then setup static arp in the dhcp server and list out ALL the machines you want to be able to talk to your firewall via mac address.
http://doc.pfsense.org/index.php/DHCP_Server#Deny_Unknown_Clients_.2F_Static_ARP
Or setup captive portal and make them auth to get to the internet.
edit: Who exactly is setting up anything on your network? Be it they get their IP via dhcp or static that you need to prevent from talking to your firewall? I would be more concerned that they are on the network in the first place vs blocking them from internet. Maybe you need to investigate a NAC or NAP type setup.
-
With the DHCP leases. Is there any way to say that the PC that got a lease will be allowed to go to the internet?
-
No I do not believe so.. you can setup static arp that limits who can get an dhcp address, and who can talk to the lan interface.
But I don't know of any way to click a check box or something and say only dhcp clients, ANY dhcp client can use the internet. Nor do I understand what would be the point of such a setting?
I gave you what you asked for - you asked for how to prevent IPs outside your dhcp scope from using the internet. But if someone is allowed to connect to your network and sets a static IP in that range. There is no way for the firewall to know he wasn't a dhcp client. Unless you setup static arp and limit who can get address via dhcp.
If your not limiting who can get a dhcp address - than anyone can just request IP via dhcp. So who are preventing from access??
How about you explain what your trying to prevent exactly, and we can work out the best course of action to accomplish that goal. If your wanting to prevent unauthorized users from using the internet - captive portal would be an option.
Lets say there was a checkbox that said hey only dhcp clients can use the internet. What are you using to limit who can get a dhcp address? If your not preventing them from getting a IP via dhcp then what is the point of that filter?
-
Thanks johnpoz for working this out.
I host a lan party with about 50-60 people. I want it as easy as possible to setup for the clients and as good as possible to monitor things that are going on on the internet.
Guest should come plug the pc in and get ip and access.
Admins and server got static ips with access to everything.Thats why a guest should not change his ip to a static and can go to the internet.
-
That is NOT what you asked for in your first post. You asked for dhcp clients to GET to the internet.. And IPs outside your dhcp range to NOT have the internet.
"I need help to prevent all IP's to going trough the wan that are in the Lan and the IP is not given by the PFSense DHCP."
Now your saying you want dhcp clients to NOT get to the internet, and only static users can use the internet.
If you have specific static IPs for your admin boxes and servers - then set up lan rules for ONLY those specific IPs to be able to use the internet.
Or a much easier method is to just use a captive portal.. Now it does not matter what IP they have - your not getting out unless you auth. You can put in specific exceptions on the portal for your server and admin box mac addresses.
-
Sorry for the confusion, I mean that a guest is allowed to surf but only when he is in the 192.168.2.100-199 ip range, otherwise he will be blocked. I think you pointed me right! Just have to run now a few test. Not realy shure how to setup right, but I will find out. Thanks for your support.
-
Yes. it's possible to combine dhcpd events and firewall rules.
have a look at the following topics:
- man 5 dhcpd.conf
on commit{ execute <insert ip="" mac="" in="" fw="" whitelist="">} - ipfw firewall rules/tables
fw table whitelist <– populated with info from dhcpd
fw rule block all but whitelist
p.s. keep in mind that dhcpd is chrooted in /var/dhcpd/
regards.</insert>
- man 5 dhcpd.conf
