Ignore / Deny unknown or denied clients



  • Hi!

    Just want to know what do i need to check in order for me to block internet access for connections that re not in my static ARP?  Please see attached.

    Also, does denying unknown clients also block their LAN access (file sharing amongst work stations)?  I just want to control internet access.

    TIA!

    ast

    ![Screen Shot 2017-06-30 at 9.42.09 AM.jpg](/public/imported_attachments/1/Screen Shot 2017-06-30 at 9.42.09 AM.jpg)
    ![Screen Shot 2017-06-30 at 9.42.09 AM.jpg_thumb](/public/imported_attachments/1/Screen Shot 2017-06-30 at 9.42.09 AM.jpg_thumb)



  • Select Deny Unknown Clients.  If they don't get an IP address that's on your LAN, they can't get anywhere else.  Also, with Windows, if a DHCP address is not available, the normal default is to create a link local address in the 169.254.0.0/16 range.  This address can be used for file sharing etc.



  • @JKnott:

    Select Deny Unknown Clients.  If they don't get an IP address that's on your LAN, they can't get anywhere else.  Also, with Windows, if a DHCP address is not available, the normal default is to create a link local address in the 169.254.0.0/16 range.  This address can be used for file sharing etc.

    Thanks for the quick reply!  Will manually encoding an ip address give them access to the internet, or not?

    Just want to clarify, when DHCP address is not available to a workstation, they will still have access to LAN file sharing? (which i need, workstation need to access our NAS)

    Thanks again!

    ast



  • They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.  And yes, file sharing is still available via the link local addresses.  As I mentioned, link local addresses are the usual default on Windows.  On Linux, you have to specifically configure a link local connection.  Link local addresses are normally based on a random number, but it is possible to configure a static address in that range.



  • @JKnott:

    They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.

    By authorized addresses allowed, you mean via static arp or static ip?



  • @ast:

    @JKnott:

    They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed.

    By authorized addresses allowed, you mean via static arp or static ip?

    You can configure the DHCP server to assign a specific IP address to a MAC address.  If you also only allow those MACs, then no other computer will obtain an IP address via DHCP.  You can then set the firewall rules to allow only those IP addresses assigned via DHCP.  So, if someone tries to manually assign an IP address outside of the allowed range, then it won't make it past the firewall.  If they try to assign one within, then you'll have an address conflict, which can be detected.