Block Unknown clients when connecting to our network



  • How can I block unknown clients when they are connecting to our network

    Already I setup DHCP Mac based filtering and firewall rules .but my problem is if a person knows our IP range then he can manually enter the range in his system and he can connect to our network easily.I just want to block all the unknown devices when they are connecting to our network through manually configured ip…only the mac adress listed pc can enter in our network.already made mac binding in dhcp and allow some people to connect internet through the firewall rule.but if some one knows the ip range allowed for internet..then he can manually enter the ip in his pc and connect the cable he can brows internet and even connect in our network too



  • You can't have an unknown device without first defining what a "known" device is.

    I'm only a ware of 3 options

    1. Physically secure your network and don't let "unknown" device on
    2. Get a switch that supports authentication. Very expensive. Effectively places a port in a "guest" vlan until the client authenticates, then switches the vlan to whatever your "internal" vlan is.
    3. Use VPN. Force all clients to connect to pfSense via VPN tunnels, even if on the LAN

    In general, if you can't trust the LAN, you've lost the war. No point in a firewall at that point.



  • This is the purpose of NAP. Built into Windows 2008R2 and up, as well as offered by PacketFence and some others for free. Both solutions utilize RADIUS and VLANs. Initial requests are put into an isolated VLAN for assessment. If they pass the assessment they can be re-VLAN'd dynamically to a corporate VLAN, or onto a guest/DMZ VLAN for remediation or guest processing. Could be as cheap as $0 plus your electricity ;)



  • It's been about 15 years, but I think NAP requires 802.1X. I only worked with this in a 100 level Networking class many years ago and most enterprises are not smart enough to use this technology from 2001.

    Strangely recent
    https://it.slashdot.org/story/18/01/27/016207/is-it-time-for-zero-trust-corporate-networks


  • Netgate

    What is the problem environment?

    Why can you not control who connects and where?

    Open Wi-Fi or cross-connected, open wired jacks all over the place?



  • my co building having 4  lounges in 2 bulding .bulding 2 is connected with ubnt wirless bridge  …every where we have physical network points and wifi too...I did DHCP Static Mappings for the clients..so only the mac maping client will get the ip automatically…but my problem is those who knows our ip range if he put manually on his device then it is working ..

    after that I chose this option

    ARP Table Static Entry
    Create an ARP Table Static Entry for this MAC & IP Address pair.

    then it is working good and  unknown client can't get connect in our network even if they put our ip address manually or by the dhcp

    but here my problem is in bulting no2 even the maped dhcp client also not working



  • It's not difficult to spoof a MAC address and it's not difficult to find which MAC address to use.


  • Netgate

    The solution is to put all the ports you don't want active on a blank VLAN with no access to anything except maybe anyone else who connected to a port they should not be connected to.

    That, or 802.1x, as has been stated.

    You are not going to solve your layer 2 problem with a layer 3 device. Has to be done in the switches/wifi.