Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block personal wireless devices at work

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 5 Posters 599 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      detox
      last edited by

      Hello.

      I think my question will be answered by "you can't" but here it goes......
      I want to tighten up my wireless access at work and deny services to cell phones / tablets/ etc. Only allow work PC's and laptops. Everything else (IoT) can connected on a 'guest' network.

      Aside from cataloging each laptop / PC MAC address and set a rule that if it does not match access is forbidden is there an "easier softer way" to restrict use to a staff WiFi?

      The other way I thought of, is monitor the staff WiFi for any phones / tablets and block them when I see it. Again, a horrible tedious exercise.

      So, please let me know if there is a way. If not, my days will be occupied as the WiFi Gestapo.

      Thanks

      JKnottJ GertjanG 2 Replies Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        802.1x auth on your APs? If they support it.

        If nothing else it would make it inconvenient to connect other things. You would also log everything that is connecting making it easier to block things.

        Steve

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @detox
          last edited by

          @detox

          What you can do is map IP addresses to MAC addresses and don't allow anything else to get an address. Beyond that, pfsense does not filter on MAC addresses. As @stephenw10 mentioned, you need some sort of authenitication beyond basic pfsense.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @detox
            last edited by

            You're close to the optimal solution :

            @detox said in Block personal wireless devices at work:

            the WiFi Gestapo

            You have to make all the allowed members of your trusted network member of the Gestapo club.
            Like this :
            You change the Wifi password, and inform each allowed member of this password.
            You do this ones.
            Next time, when you see a non allowed member on the network, you change the Wifi password again.
            This time you tell no one.
            They (the allowed ones) will find you.
            Only then, you tell them that you had to change the password because some "some one" of your gestapo group wasn't able to keep his mouth shut.

            This will probably happen one or two times after that - and then the issue stops. As all the members of your group will have one identical goal : find the one that talks. And working as a group, the individual will get caught.

            Edit : if this works out, call me, I'll bring the crude oil and feathers.

            Or transform your trusted LAN in a captive portal. Now you can add MAC based rules, as ipfw, the captive portal firewall can handle MAC's - the ordinary pf firewall can not.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            D 1 Reply Last reply Reply Quote 1
            • D
              detox @Gertjan
              last edited by

              @gertjan
              Thanks so much for your solution. This crosses into the realm of "sneaky pete".

              However, it certainly seems like the best solution with a short learning curve for users.

              Thanks again!

              1 Reply Last reply Reply Quote 0
              • A
                akuma1x
                last edited by

                This is how I do it at work, since I'm in charge of all the tech gear.

                I have 2 wireless networks - 1 is the LAN (trusted) network, the other is a GUEST network (VLAN'd away from the LAN network). I put all the work gear on the LAN network, and don't share the password. I don't even share it with the owners. It is in a safe spot, just in case they need it, 'cuz I don't want to hide anything from them. The GUEST network also has a password, but it's shared openly - on the bulletin board, on some small signs in the training & conference rooms, on some p-touch label stickers on the clocks, etc. This network is used for employees that bring their personal gear to the office - cell phones, tablets, smart watches, and other stuff.

                Basically, what I would suggest, lock down the trusted wireless network with a good password, and make the GUEST or other wireless networks plain simple to get on.

                D JKnottJ 2 Replies Last reply Reply Quote 1
                • D
                  detox @akuma1x
                  last edited by

                  @akuma1x
                  Thanks so much for the suggestion. It seems fairly painless for all.

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @akuma1x
                    last edited by

                    @akuma1x said in Block personal wireless devices at work:

                    It is in a safe spot, just in case they need it

                    Sticky note on the monitor? 😉

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.