Best way to keep neighbors kid off my wifi?
-
More interesting would be to give 'unknowns' a DHCP lease which would give it some sort of invalid IP. So they login, get an IP, but can't access my network.
If my IP scheme is 192.168.2.1, can I give a certain block of devices a 10.1.1.0 IP which wouldnt go anywhere (understanding that they could hard code the IP).
So your idea of block the entire Mac address does work - only downside is i would have no idea who is who unless i keep an excel mac list.
How do I banish them to a non working IP range?
Wouldn't it just be easier not to give the password to your wife, so she can not give it out ;)
As to your mac address question.. You can for sure just block a mac address.. This would be easier in the unifi controller on the mac black list.. But could also be done in the dhcpd on pfsense. But its more designed to block or allow partial lists, like you want to block all devices from specific maker.. Have not tested what happens if you put in a full mac vs partial.
Simple work around here, which will confuse the users even more, is give them an IP via mac address. Setup a reservation - then just deny this device access via the firewall rules. Just a simple block rule.. Now they will be on the network, but won't be able to use the internet..
There are all kinds of ways to skin this cat.. You could setup a proxy so when these clients connect they only get sent to some nonsense page… No matter where they go... You could set them up their own captive portal that tells them all their stuff is being tracked by FBI and are going to be contacting their parents.. Really scare them if you know who they are just post up their info on the captive portal ;)
Simple solution though would be to just have wife not give them password.. Setup eap-tls so she doesn't even know how her devices get on they just do, she won't even have a password to give them ;)
Prob run out of post room going overall the ways you could block them or mess with them ;)
I would put up some fake page and try the scare the shit out of them ;) Maybe something about using unauthorized wifi, etc.
-
There is an option to Deny unknown clients, think if you tick the box it will only hand out DHCP addresses to entries in the DHCP Static Mappings for this Interface part of the interface.
But what's to stop the savvy ones using a static ?
-
I think deny all but allowed seems like a lot of work for when I have visitors. I would love to give invalid DHCP leases to people. Can that be done?
-
Once you know what these clients mac is - sure you could setup a dhcp reservation to give them bad info, like wrong gateway, invalid dns, etc. So they couldn't go anywhere other than the wifi network specific.. Hand them loopback for their gateway and dns 127.0.0.1 in your reservation..
But I would think prob be less likely for them to "catch" on if you just gave them valid info and then just blocked them at the firewall..
You can not really give them a different IP range in pfsense, dhcp.. Since your reservation has to be in the network subnet the dhcp server is running on.. Just outside the scope.
If you are running the controller its just so much easier to block them there. And just leave them blocked. Vs going through the work of setting up reservation with bogus info or firewall rules, etc.
-
I would love to give invalid DHCP leases to people.
Perhaps 127.0.0.1? ;)
-
One VLAN for you and your wife with internet and LAN side and the guests over a own VLAN with the Captive Portal
would be my try here.- Private WiFi with Radius & certificates
LAN and Internet - Guest WiFi with Captive Portal and vouchers system sorted in groups and each group with a own time limit.
Internet only
- Private WiFi with Radius & certificates
-
^^^^
Many access points support multiple SSIDs and VLANs. No need for a RADIUS server, just set up the guest WiFi on a 2nd SSID & VLAN. Then configure pfSense to allow the guest SSID/VLAN access to the Internet only. -
All the other vlans and such don't work when the wifi gives out the info to what she connects too, etc. Setting up eap-tls or something so the wife can't give out the info would be a solution. But not sure how a any other ssid works?
-
Surely the easiest way is to spend an hour or so grabbing MAC address for known devices in your house, and then create DHCP reservations for these. Keep the IP range small, and then create one firewall rule to pass these, and another to block everything else.
The chances of neighbours doing static IP in the correct range is fairly low ?
-
So adding a lease but not putting an IP & adding 127.0.0.1 allows connectivity but doesnt assign any IP - this is perfect!
