Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best way to keep neighbors kid off my wifi?

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 9 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chrismallia
      last edited by

      Excuse me for saying but tell your wife to stop giving out the password, if she gives out the password and you are going to waist time blocking them , then whats the point? tell  her not to give it to them from the beginning  ;)

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Set the SSID to your her email account ID and use her password as the password ;D

        Just noticed you have a Ubiquity AP :-

        1. Create a new SSID just for the wife.

        2. Assign it to a VLAN with a /30 mask.

        3. Wait till wife moans that she can't access anything.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • R
          richtj99
          last edited by

          You guys are funny!  Happy wife happy life.  I have enough to argue about but her giving out the wifi access isnt something I want to get into.

          I would rather just block people & claim I dont know whats happening.

          1 Reply Last reply Reply Quote 0
          • R
            richtj99
            last edited by

            More interesting would be to give 'unknowns' a DHCP lease which would give it some sort of invalid IP.  So they login, get an IP, but can't access my network.

            If my IP scheme is 192.168.2.1, can I give a certain block of devices a 10.1.1.0 IP which wouldnt go anywhere (understanding that they could hard code the IP).

            So your idea of block the entire Mac address does work - only downside is i would have no idea who is who unless i keep an excel mac list.

            How do I banish them to a non working IP range?

            @johnpoz:

            Wouldn't it just be easier not to give the password to your wife, so she can not give it out ;)

            As to your mac address question.. You can for sure just block a mac address.. This would be easier in the unifi controller on the mac black list..  But could also be done in the dhcpd on pfsense.  But its more designed to block or allow partial lists, like you want to block all devices from specific maker.. Have not tested what happens if you put in a full mac vs partial.

            Simple work around here, which will confuse the users even more, is give them an IP via mac address.  Setup a reservation - then just deny this device access via the firewall rules.  Just a simple block rule.. Now they will be on the network, but won't be able to use the internet..

            There are all kinds of ways to skin this cat.. You could setup a proxy so when these clients connect they only get sent to some nonsense page… No matter where they go... You could set them up their own captive portal that tells them all their stuff is being tracked by FBI and are going to be contacting their parents.. Really scare them if you know who they are just post up their info on the captive portal ;)

            Simple solution though would be to just have wife not give them password.. Setup eap-tls so she doesn't even know how her devices get on they just do, she won't even have a password to give them ;)

            Prob run out of post room going overall the ways you could block them or mess with them ;)

            I would put up some fake page and try the scare the shit out of them ;)  Maybe something about using unauthorized wifi, etc.

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              There is an option to Deny unknown clients, think if you tick the box it will only hand out DHCP addresses to entries in the DHCP Static Mappings for this Interface part of the interface.

              But what's to stop the savvy ones using a static ?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • R
                richtj99
                last edited by

                I think deny all but allowed seems like a lot of work for when I have visitors.  I would love to give invalid DHCP leases to people.  Can that be done?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Once you know what these clients mac is - sure you could setup a dhcp reservation to give them bad info, like wrong gateway, invalid dns, etc.  So they couldn't go anywhere other than the wifi network specific.. Hand them loopback for their gateway and dns 127.0.0.1 in your reservation..

                  But I would think prob be less likely for them to "catch" on if you just gave them valid info and then just blocked them at the firewall..

                  You can not really give them a different IP range in pfsense, dhcp.. Since your reservation has to be in the network subnet the dhcp server is running on.. Just outside the scope.

                  If you are running the controller its just so much easier to block them there.  And just leave them blocked.  Vs going through the work of setting up reservation with bogus info or firewall rules, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    I would love to give invalid DHCP leases to people.

                    Perhaps 127.0.0.1?  ;)

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      One VLAN for you and your wife with internet and LAN side and the guests over a own VLAN with the Captive Portal
                      would be my try here.

                      • Private WiFi with Radius & certificates
                        LAN and Internet
                      • Guest WiFi with Captive Portal and vouchers system sorted in groups and each group with a own time limit.
                        Internet only
                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        ^^^^
                        Many access points support multiple SSIDs and VLANs.  No need for a RADIUS server, just set up the guest WiFi on a 2nd SSID & VLAN. Then configure pfSense to allow the guest SSID/VLAN access to the Internet only.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          All the other vlans and such don't work when the wifi gives out the info to what she connects too, etc.  Setting up eap-tls or something so the wife can't give out the info would be a solution.  But not sure how a any other ssid works?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • P
                            pwood999
                            last edited by

                            Surely the easiest way is to spend an hour or so grabbing MAC address for known devices in your house, and then create DHCP reservations for these.  Keep the IP range small, and then create one firewall rule to pass these, and another to block everything else.

                            The chances of neighbours doing static IP in the correct range is fairly low ?

                            1 Reply Last reply Reply Quote 0
                            • R
                              richtj99
                              last edited by

                              So adding a lease but not putting an IP & adding 127.0.0.1 allows connectivity but doesnt assign any IP - this is perfect!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.