Best way to keep neighbors kid off my wifi?
-
Hi,
My wife keeps giving out our wifi password info to neighbors. While I could change the password, it is likely to be given out again. I am working on setting up DHCP leases but would like to be able to block specific mac addresses without having to manually add "OK" mac addresses.
Ideally if she gives the wifi password I would like to be able to check my DHCP leases & block mac addresses. I have a Ubiquiti wifi access points & I can click on "block" to certain wireless devices but I would rather do it all through PFsense.
I am not really worried about Mac Spoofing.
Thanks,
Rich -
Change it and don't give the password to your wife until after she writes "I will not hand out passwords to neighbors" 1000 times on the blackboard… If you have a blackboard.
Alternately install a guest wifi - may as well leave it open. Shut it down when you feel like it. Or captive portal? Never used it though.
-
Don't give her the password. If she has a device she wants to use, configure it for her.
-
Wouldn't it just be easier not to give the password to your wife, so she can not give it out ;)
As to your mac address question.. You can for sure just block a mac address.. This would be easier in the unifi controller on the mac black list.. But could also be done in the dhcpd on pfsense. But its more designed to block or allow partial lists, like you want to block all devices from specific maker.. Have not tested what happens if you put in a full mac vs partial.
Simple work around here, which will confuse the users even more, is give them an IP via mac address. Setup a reservation - then just deny this device access via the firewall rules. Just a simple block rule.. Now they will be on the network, but won't be able to use the internet..
There are all kinds of ways to skin this cat.. You could setup a proxy so when these clients connect they only get sent to some nonsense page… No matter where they go... You could set them up their own captive portal that tells them all their stuff is being tracked by FBI and are going to be contacting their parents.. Really scare them if you know who they are just post up their info on the captive portal ;)
Simple solution though would be to just have wife not give them password.. Setup eap-tls so she doesn't even know how her devices get on they just do, she won't even have a password to give them ;)
Prob run out of post room going overall the ways you could block them or mess with them ;)
I would put up some fake page and try the scare the shit out of them ;) Maybe something about using unauthorized wifi, etc.
-
My wife keeps giving out our wifi password info to neighbors.
Your best bet is to educate her not to do so.
Every technical measure is only as good as its weakest link which you described above.What's her reason for doing so when you ask her?
The idea of setting up a captive portal which passes known MAC adresses is probably your best bet, technical wise.
-
Excuse me for saying but tell your wife to stop giving out the password, if she gives out the password and you are going to waist time blocking them , then whats the point? tell her not to give it to them from the beginning ;)
-
Set the SSID to your her email account ID and use her password as the password ;D
Just noticed you have a Ubiquity AP :-
-
Create a new SSID just for the wife.
-
Assign it to a VLAN with a /30 mask.
-
Wait till wife moans that she can't access anything.
-
-
You guys are funny! Happy wife happy life. I have enough to argue about but her giving out the wifi access isnt something I want to get into.
I would rather just block people & claim I dont know whats happening.
-
More interesting would be to give 'unknowns' a DHCP lease which would give it some sort of invalid IP. So they login, get an IP, but can't access my network.
If my IP scheme is 192.168.2.1, can I give a certain block of devices a 10.1.1.0 IP which wouldnt go anywhere (understanding that they could hard code the IP).
So your idea of block the entire Mac address does work - only downside is i would have no idea who is who unless i keep an excel mac list.
How do I banish them to a non working IP range?
Wouldn't it just be easier not to give the password to your wife, so she can not give it out ;)
As to your mac address question.. You can for sure just block a mac address.. This would be easier in the unifi controller on the mac black list.. But could also be done in the dhcpd on pfsense. But its more designed to block or allow partial lists, like you want to block all devices from specific maker.. Have not tested what happens if you put in a full mac vs partial.
Simple work around here, which will confuse the users even more, is give them an IP via mac address. Setup a reservation - then just deny this device access via the firewall rules. Just a simple block rule.. Now they will be on the network, but won't be able to use the internet..
There are all kinds of ways to skin this cat.. You could setup a proxy so when these clients connect they only get sent to some nonsense page… No matter where they go... You could set them up their own captive portal that tells them all their stuff is being tracked by FBI and are going to be contacting their parents.. Really scare them if you know who they are just post up their info on the captive portal ;)
Simple solution though would be to just have wife not give them password.. Setup eap-tls so she doesn't even know how her devices get on they just do, she won't even have a password to give them ;)
Prob run out of post room going overall the ways you could block them or mess with them ;)
I would put up some fake page and try the scare the shit out of them ;) Maybe something about using unauthorized wifi, etc.
-
There is an option to Deny unknown clients, think if you tick the box it will only hand out DHCP addresses to entries in the DHCP Static Mappings for this Interface part of the interface.
But what's to stop the savvy ones using a static ?
-
I think deny all but allowed seems like a lot of work for when I have visitors. I would love to give invalid DHCP leases to people. Can that be done?
-
Once you know what these clients mac is - sure you could setup a dhcp reservation to give them bad info, like wrong gateway, invalid dns, etc. So they couldn't go anywhere other than the wifi network specific.. Hand them loopback for their gateway and dns 127.0.0.1 in your reservation..
But I would think prob be less likely for them to "catch" on if you just gave them valid info and then just blocked them at the firewall..
You can not really give them a different IP range in pfsense, dhcp.. Since your reservation has to be in the network subnet the dhcp server is running on.. Just outside the scope.
If you are running the controller its just so much easier to block them there. And just leave them blocked. Vs going through the work of setting up reservation with bogus info or firewall rules, etc.
-
I would love to give invalid DHCP leases to people.
Perhaps 127.0.0.1? ;)
-
One VLAN for you and your wife with internet and LAN side and the guests over a own VLAN with the Captive Portal
would be my try here.- Private WiFi with Radius & certificates
LAN and Internet - Guest WiFi with Captive Portal and vouchers system sorted in groups and each group with a own time limit.
Internet only
- Private WiFi with Radius & certificates
-
^^^^
Many access points support multiple SSIDs and VLANs. No need for a RADIUS server, just set up the guest WiFi on a 2nd SSID & VLAN. Then configure pfSense to allow the guest SSID/VLAN access to the Internet only. -
All the other vlans and such don't work when the wifi gives out the info to what she connects too, etc. Setting up eap-tls or something so the wife can't give out the info would be a solution. But not sure how a any other ssid works?
-
Surely the easiest way is to spend an hour or so grabbing MAC address for known devices in your house, and then create DHCP reservations for these. Keep the IP range small, and then create one firewall rule to pass these, and another to block everything else.
The chances of neighbours doing static IP in the correct range is fairly low ?
-
So adding a lease but not putting an IP & adding 127.0.0.1 allows connectivity but doesnt assign any IP - this is perfect!
