Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ignore / Deny unknown or denied clients

    DHCP and DNS
    2
    6
    1548
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ast last edited by

      Hi!

      Just want to know what do i need to check in order for me to block internet access for connections that re not in my static ARP?  Please see attached.

      Also, does denying unknown clients also block their LAN access (file sharing amongst work stations)?  I just want to control internet access.

      TIA!

      ast

      ![Screen Shot 2017-06-30 at 9.42.09 AM.jpg](/public/imported_attachments/1/Screen Shot 2017-06-30 at 9.42.09 AM.jpg)
      ![Screen Shot 2017-06-30 at 9.42.09 AM.jpg_thumb](/public/imported_attachments/1/Screen Shot 2017-06-30 at 9.42.09 AM.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott last edited by

        Select Deny Unknown Clients.  If they don't get an IP address that's on your LAN, they can't get anywhere else.  Also, with Windows, if a DHCP address is not available, the normal default is to create a link local address in the 169.254.0.0/16 range.  This address can be used for file sharing etc.

        1 Reply Last reply Reply Quote 0
        • A
          ast last edited by

          @JKnott:

          Select Deny Unknown Clients.  If they don't get an IP address that's on your LAN, they can't get anywhere else.  Also, with Windows, if a DHCP address is not available, the normal default is to create a link local address in the 169.254.0.0/16 range.  This address can be used for file sharing etc.

          Thanks for the quick reply!  Will manually encoding an ip address give them access to the internet, or not?

          Just want to clarify, when DHCP address is not available to a workstation, they will still have access to LAN file sharing? (which i need, workstation need to access our NAS)

          Thanks again!

          ast

          1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott last edited by

            They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.  And yes, file sharing is still available via the link local addresses.  As I mentioned, link local addresses are the usual default on Windows.  On Linux, you have to specifically configure a link local connection.  Link local addresses are normally based on a random number, but it is possible to configure a static address in that range.

            1 Reply Last reply Reply Quote 0
            • A
              ast last edited by

              @JKnott:

              They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.

              By authorized addresses allowed, you mean via static arp or static ip?

              1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott last edited by

                @ast:

                @JKnott:

                They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.

                By authorized addresses allowed, you mean via static arp or static ip?

                You can configure the DHCP server to assign a specific IP address to a MAC address.  If you also only allow those MACs, then no other computer will obtain an IP address via DHCP.  You can then set the firewall rules to allow only those IP addresses assigned via DHCP.  So, if someone tries to manually assign an IP address outside of the allowed range, then it won't make it past the firewall.  If they try to assign one within, then you'll have an address conflict, which can be detected.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy