pfsense static ip problem
-
If a different ip address is given manually on the computer to a mac address that has a static ip assigned by Pfsense, all the rules given to that user become meaningless.
But if the ip address of the mac address given static ip by pfsense is changed on the computer, it is blocked from accessing the internet, it will be a solution.
how can we do this?I want summary: If the computer gets an ip other than the static ip assigned by Pfsense, it will block the internet.
-
This issue is clearly a security vulnerability in my opinion. Because IP-specific rules can be easily bypassed by changing them on the computer by the user.
Does anyone know a solution? -
@enesas you could do static arp in pfsense, to prevent a mac from using a different IP.
You understand mac address is also easy enough to change.
If your concern is user IP or mac address changing to bypass rules specific for that IP, what is common practice is place all devices using a set of rules in specific vlan. And then set those rules for the vlan vs calling out specific IPs that can or can not do specific things. Then it really doesn't matter what mac or IP a device has. And per your network it shouldn't be possible for your client to change vlans without physical access to port on different vlan, or changing their wifi connection, etc.
And even if they could plug into a different switch port. It is possible to setup security to prevent devices from accessing a port they are not suppose to be on. Port security, 802.1x, etc.
-
@johnpoz Thanks for your explanation.
-
When using static arp, automatic IP obtaining problem occurs. In this case, it will be necessary to give static ip to all computers.
But I give static ip to some fixed users and create a special rule for them. I'm stating general rules for the rest of the auto-IP range. -
I already created vlans. I need to set additional rules for some IPs in this vlan. (for example, internet ban at certain hours, speed rules, access restrictions to some sites...)
And another problem I noticed. I can manually assign a static IP address that I assigned from pfsense to a different mac address from the computer.
sample:
I added a mac address from pfsense.
xx:xx:xx:xx > 192.168.3.5manually from the computer
When I do bb:bb:bb:bb > 192.168.3.5 I get that IP address. and so I can use the broad privileges given to that Special ip.
big trouble.....Note: I have used Draytek product before. In that case, if I assigned a mac address as static, it would not be able to access the Internet when I manually changed the IP address from the computer to the same mac address.
So that's exactly the feature I want. but unfortunately pfsense also has this problem. -
-
@enesas said in pfsense static ip problem:
but unfortunately pfsense also has this problem.
Pfsense supports static arp, and you can assign IP xyz to mac aa:bb:cc etc.. and if that combo is not correct then pfsense would not talk to that device. Ie IP xyz to mac aa:cc:bb etc.. or IP abc to mac aa:bb:cc
See static arp under
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#other-options -
@johnpoz static arp works as you say. But sometimes you plug in a computer so it can access the internet quickly. With this method, you will have to go and add the mac address to pfsense every time