Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow only authorized clients on network?

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 4 Posters 928 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Seeking Sense
      last edited by

      Hello.

      Please forgive me in advance for this newbie question.

      I am interested in setting up a pfsense box that will prevent unknown/unauthorized clients from accessing the network.

      The network will contain a mixture of clients as well as a couple of low traffic web and mail servers.

      Access to the network will be via wired and wireless ap.

      I do not require guest network.

      Internet <–----> pfSense <-------> switch  < ---------------> web server
                                                                      <---------------> mail server
                                                                      <---------------> desktop 1
                                                                      <---------------> desktop 2
                                                                      <--------------->  wireless ap  <---------------> phone
                                                                                                                  <---------------> tablet
                                                                                                                  <---------------> laptop
                                                                                                                  <---------------> streaming device

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        so you want to stop people from plugging into switch ports?  How would unknowns get on your wifi network if they don't have the creds to get on it?  As you stated you don't want a guest network.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • E
          enodeb
          last edited by

          As John already wrote, the best way to prevent unauthorized wireless clients from accessing your network is to use WPA2 with a strong passphrase (or 802.1x). For wired clients, there are switches with port-based authentication (using 802.1x, together with e.g. FreeRadius running on the pfSense box). But that seems over the top in a home environment unless you often have visitors you don't trust snooping around.

          IMO it would be more important to put your servers on an isolated network (DMZ), so an attacker from the Internet who breaches the servers can not get into your home network.

          1 Reply Last reply Reply Quote 0
          • P
            pfsense4life
            last edited by

            @Seeking:

            Hello.

            Please forgive me in advance for this newbie question.

            I am interested in setting up a pfsense box that will prevent unknown/unauthorized clients from accessing the network.

            The network will contain a mixture of clients as well as a couple of low traffic web and mail servers.

            Access to the network will be via wired and wireless ap.

            I do not require guest network.

            Internet <–----> pfSense <-------> switch  < ---------------> web server
                                                                            <---------------> mail server
                                                                            <---------------> desktop 1
                                                                            <---------------> desktop 2
                                                                            <--------------->  wireless ap  <---------------> phone
                                                                                                                        <---------------> tablet
                                                                                                                        <---------------> laptop
                                                                                                                        <---------------> streaming device

            Thanks in advance.

            Your best solution for wireless access that is, might be using WPA2-Enterprise Mode so that any wireless clients need extra authentication methods to verify their authorization.

            I accomplish this through a web-hosted RADIUS server solution.  Some are free and worth a try, so if you find that you don't like it then it is easy to just access your router webGUI via ethernet or serial to remove the RADIUS settings and revert your wireless client devices.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.