Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Deny dhcp lease and lan access to unknow and unwanted devices

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 6 Posters 713 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      T.Soprano
      last edited by

      it's possible to deny dhcp ip release and lan access to unknow / unwanted devices who can try to connect via ethernet cable or wifi?
      Here is my actual situation:
      telecom modem >
      > PfSense >
      > Office LAN via cable and
      > Wifi AP withouth dhcp server only pfsense has DHCP server.

      PfSense with mac filter + arp ip filter to release dhcp

      every employee has its own office assigned pc with known mac and ip

      But...
      If someone clone a mac and use same ip of its office pc and shutdown the office pc, and use its own personal laptop, pfsense release ip and lend access.

      There is a way to prevent this?
      Can pfsense check something else beside mac and ip from lan pc exmaple a specific hwid not clonable?

      or any other way please?
      thanks for your time

      JKnottJ K 2 Replies Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        uhm , afaik nothing ...
        maybe security port on the switch and NAC can be of help.
        static arp or DAI can't help on that ..

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @T.Soprano
          last edited by

          @T-Soprano said in Deny dhcp lease and lan access to unknow and unwanted devices:

          If someone clone a mac and use same ip of its office pc and shutdown the office pc, and use its own personal laptop, pfsense release ip and lend access.

          If they'e spoofing the MAC and plugging into the same switch port, then nothing can be done, as there is no way to tell which computer it is.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            You want to prevent someone from removing device X from port Y, and then using same mac as device X or port Y?

            Yeah that is not really possible without a NAC/PNAC, that checks other stuff.. Not something you can do with just pfsense. 802.1x can be used to auth a device, etc.

            If you want to stop device Z from turning off device X, and then plugging into different port using device X mac - then you could just use port security on your switch ports.

            If this is only via wireless.. They would have to auth, with valid user creds - use something more than just wpa/wpa2 psk.. Setup wpa2-enterprise. Using something like eap-tls they would also need a valid cert to auth with, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            JKnottJ 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              OpenNAC, never used it but it may help you.

              http://www.opennac.org/opennac/en.html

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • K
                Konstanti @T.Soprano
                last edited by

                @T-Soprano
                802.1X + Freeradius

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @johnpoz
                  last edited by

                  @johnpoz said in Deny dhcp lease and lan access to unknow and unwanted devices:

                  use something more than just wpa/wpa2 psk.

                  Even with PSK, if the admin enters the password and doesn't tell anyone what it it, then they could keep other computers off. Of course, that only works if the device doesn't make the password availalble.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    yeah that would be a possibility I guess..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • T
                      T.Soprano
                      last edited by

                      I've done this using a selfmade captive portal page, but thanks anyway for your hints.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.