Allow only authorized clients on network?



  • Hello.

    Please forgive me in advance for this newbie question.

    I am interested in setting up a pfsense box that will prevent unknown/unauthorized clients from accessing the network.

    The network will contain a mixture of clients as well as a couple of low traffic web and mail servers.

    Access to the network will be via wired and wireless ap.

    I do not require guest network.

    Internet <–----> pfSense <-------> switch  < ---------------> web server
                                                                    <---------------> mail server
                                                                    <---------------> desktop 1
                                                                    <---------------> desktop 2
                                                                    <--------------->  wireless ap  <---------------> phone
                                                                                                                <---------------> tablet
                                                                                                                <---------------> laptop
                                                                                                                <---------------> streaming device

    Thanks in advance.


  • LAYER 8 Global Moderator

    so you want to stop people from plugging into switch ports?  How would unknowns get on your wifi network if they don't have the creds to get on it?  As you stated you don't want a guest network.



  • As John already wrote, the best way to prevent unauthorized wireless clients from accessing your network is to use WPA2 with a strong passphrase (or 802.1x). For wired clients, there are switches with port-based authentication (using 802.1x, together with e.g. FreeRadius running on the pfSense box). But that seems over the top in a home environment unless you often have visitors you don't trust snooping around.

    IMO it would be more important to put your servers on an isolated network (DMZ), so an attacker from the Internet who breaches the servers can not get into your home network.



  • @Seeking:

    Hello.

    Please forgive me in advance for this newbie question.

    I am interested in setting up a pfsense box that will prevent unknown/unauthorized clients from accessing the network.

    The network will contain a mixture of clients as well as a couple of low traffic web and mail servers.

    Access to the network will be via wired and wireless ap.

    I do not require guest network.

    Internet <–----> pfSense <-------> switch  < ---------------> web server
                                                                    <---------------> mail server
                                                                    <---------------> desktop 1
                                                                    <---------------> desktop 2
                                                                    <--------------->  wireless ap  <---------------> phone
                                                                                                                <---------------> tablet
                                                                                                                <---------------> laptop
                                                                                                                <---------------> streaming device

    Thanks in advance.

    Your best solution for wireless access that is, might be using WPA2-Enterprise Mode so that any wireless clients need extra authentication methods to verify their authorization.

    I accomplish this through a web-hosted RADIUS server solution.  Some are free and worth a try, so if you find that you don't like it then it is easy to just access your router webGUI via ethernet or serial to remove the RADIUS settings and revert your wireless client devices.


Log in to reply