• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfsense static ip problem

Scheduled Pinned Locked Moved DHCP and DNS
6 Posts 2 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    enesas
    last edited by Apr 25, 2022, 11:21 AM

    If a different ip address is given manually on the computer to a mac address that has a static ip assigned by Pfsense, all the rules given to that user become meaningless.

    But if the ip address of the mac address given static ip by pfsense is changed on the computer, it is blocked from accessing the internet, it will be a solution.
    how can we do this?

    I want summary: If the computer gets an ip other than the static ip assigned by Pfsense, it will block the internet.

    E 1 Reply Last reply Apr 27, 2022, 8:21 AM Reply Quote 0
    • E
      enesas @enesas
      last edited by Apr 27, 2022, 8:21 AM

      This issue is clearly a security vulnerability in my opinion. Because IP-specific rules can be easily bypassed by changing them on the computer by the user.
      Does anyone know a solution?

      J 1 Reply Last reply Apr 27, 2022, 8:36 AM Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @enesas
        last edited by Apr 27, 2022, 8:36 AM

        @enesas you could do static arp in pfsense, to prevent a mac from using a different IP.

        You understand mac address is also easy enough to change.

        If your concern is user IP or mac address changing to bypass rules specific for that IP, what is common practice is place all devices using a set of rules in specific vlan. And then set those rules for the vlan vs calling out specific IPs that can or can not do specific things. Then it really doesn't matter what mac or IP a device has. And per your network it shouldn't be possible for your client to change vlans without physical access to port on different vlan, or changing their wifi connection, etc.

        And even if they could plug into a different switch port. It is possible to setup security to prevent devices from accessing a port they are not suppose to be on. Port security, 802.1x, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • E
          enesas
          last edited by enesas Apr 27, 2022, 10:46 AM Apr 27, 2022, 10:37 AM

          @johnpoz Thanks for your explanation.

          • When using static arp, automatic IP obtaining problem occurs. In this case, it will be necessary to give static ip to all computers.
            But I give static ip to some fixed users and create a special rule for them. I'm stating general rules for the rest of the auto-IP range.

          • I already created vlans. I need to set additional rules for some IPs in this vlan. (for example, internet ban at certain hours, speed rules, access restrictions to some sites...)

          And another problem I noticed. I can manually assign a static IP address that I assigned from pfsense to a different mac address from the computer.
          sample:
          I added a mac address from pfsense.
          xx:xx:xx:xx > 192.168.3.5

          manually from the computer
          When I do bb:bb:bb:bb > 192.168.3.5 I get that IP address. and so I can use the broad privileges given to that Special ip.
          big trouble.....

          Note: I have used Draytek product before. In that case, if I assigned a mac address as static, it would not be able to access the Internet when I manually changed the IP address from the computer to the same mac address.
          So that's exactly the feature I want. but unfortunately pfsense also has this problem.

          J 1 Reply Last reply Apr 27, 2022, 10:44 AM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @enesas
            last edited by Apr 27, 2022, 10:44 AM

            @enesas said in pfsense static ip problem:

            but unfortunately pfsense also has this problem.

            Pfsense supports static arp, and you can assign IP xyz to mac aa:bb:cc etc.. and if that combo is not correct then pfsense would not talk to that device. Ie IP xyz to mac aa:cc:bb etc.. or IP abc to mac aa:bb:cc

            See static arp under
            https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#other-options

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            E 1 Reply Last reply Apr 27, 2022, 11:03 AM Reply Quote 0
            • E
              enesas @johnpoz
              last edited by Apr 27, 2022, 11:03 AM

              @johnpoz static arp works as you say. But sometimes you plug in a computer so it can access the internet quickly. With this method, you will have to go and add the mac address to pfsense every time

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received