IP whitelisting



  • I want to enable a portal as an extra security layer on an existing mixed-use network and I have a few questions:

    (1) Does IP whitelisting modify the ruleset for an interface? Like policy routing, for instance, or does it "move it to the top"? The fact that rules must be added for the traffic sort of answers my question, but just in case I'm wrong.

    Also, (2) is the CIDR part on the address meant for subnet ranging or just for the subnet of a given address? For instance, could I enter 10.0.0.0(or .1)/24 to specify the first /24 of 10.0.0.0/22?

    Lastly, I understand that I need to whitelist in the direction of a server or from a server in some other interface, but (3) what happens in the case of NAT where port forwarding rules are supposed to give a reply-to path to the traffic(as well as allow it even if blocked)? Do I still need to whitelist those?

    Thanks for your help guys. :)



  • Captive portals are for a bunch of non trusted devices, where you want to 'control' the access.
    No NAT, no servers etc on the network.

    Doing so, live will be simple.

    But, if you want to put servers on a captive portal, ok, you can NAT to them from elsewhere. Nothing changes - no need to whitelist his IP. Remember, your dealing with a statefull firewall here.

    CDR : I don't know. Probably yes, it will work.

    Btw : Use this : https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

    Whitelist some IP's. - some MAC's and log in to the portal with a device.
    Now inspect ipfw firewall with the mentionned commands.
    You'll get the picture.

    Also : ipfw rules comes first.
    Then the GUI firewall rules that you have for that captive portal interface.



  • @Gertjan Thank you so much for the link and the explanation.

    I was using the book as a reference; I always forget the troubleshooting sections on the website that are packed with useful stuff.

    Thanks again !


Log in to reply