Allow PC on OPT1 access to SMB share on LAN interface

blimpyboy

My LAN and OPT1 interfaces are normally completely separate, but I have one machine on OPT1 which I'd like to allow access to an SMB share on a machine on the LAN interface.  I can do it by creating a rule on OPT1 which passes TCP traffic from OPT1 client 192.168.200.34 to the LAN pc hosting the share @ 192.168.100:32:445.

I've just tested this and it works, but is there a way of making it a tad more secure than just fixing the IP of the client?

johnpoz

Like what?  Are you saying your worried about some other device on your opt1 network using this 192.168.200.34 IP?

You could look it own via static arp on pfsense… So pfsense would only be able to talk to specific mac address of your device on that IP.

You could setup 802.1x so that device has to auth in some way to even talk on your network, etc. etc.

If you wanted you could setup captive portal so that devices have to know a username or password to get on your network, or have a voucher, etc.

But once you setup a dhcp reservation for this mac to always get that IP - its not like some other device would happen to get that IP.. They would have to set it manually... And then they would have to know username and password to auth to your smb share anyway.  And is this network wireless or wired.. Since if wired for them to be on the opt1 network they would have to have physical access to your network.

Maybe if you describe why you feel your firewall rules is not secure enough we can discuss methods of mitigating your concerns.