pfSense as initial network filter
-
@johnpoz I run cisco 3750 and unifi aps
-
@johnpoz Just a quick follow up to confirm.
So even if we have 2 network interfaces, on different subnets, it's not really possible to use pfSense to filter by mac address (or any other way) for browsing network resources ?
You mentioned there is no control to keep a device off a local network. In theory, even though both subnets are on private IP ranges, the WAN interface would be "sort of" remote, with the LAN interface being the local network interface.Thanks
-
@jarweb pfsense doesn't filter anything by MAC addresses. But you can, however, assign static IP reservations by using the MAC addresses of the hosts on your network(s). Then you can have pfsense do all the filtering that you need, be it on a single network, or multiple networks - physical or virtual.
-
@akuma1x So have I completely misunderstood the mac access control option in Captive Portal ? I thought that this is what it did. You add mac addresses in here to either block or allow access to the network. It might have been cumbersome to do but was hoping it would work in the short term.
-
@jarweb Yes, of course, this is where MAC addresses are used to control access to the captive portal stuff. If you have setup the MAC address table, and set an address to specifically pass, it won't get the authentication screen. You can also do this by IP addresses.
https://docs.netgate.com/pfsense/en/latest/captiveportal/mac-address-control.html
You probably used the wrong term by saying "filtering" in your post, sorry my bad.
-
@akuma1x Sorry, yes, possibly the wrong terminology. But I may still be misunderstanding how it works so would be good to clarify. Should we be able to allow or block specific devices from accessing network resources by adding or removing the mac address from the list in the Captive Portal ? Should this work for SMB access (e.g. using Windows Explorer) as well as web browsers ?
In my initial post I mentioned that it seemed to work when I access web sites (I got the pfSense logon/confirmation page) but I could still browse to pcs on my home network with no apparent restrictions.
Again, I can do more testing, but if it definitely isn't going to work this way then at least I know.
Thanks
-
@jarweb said in pfSense as initial network filter:
So even if we have 2 network interfaces, on different subnets,
Those are not the same network... You can for sure control lan from getting to wan networks..
But you clearly stated..
I can still browse to other pcs even
This is not something pfsense can do
if you have network 192.168.1/24 for example.. You can control access to say 192.168.2/24 but pfsense can not stop 192.168.1.x from talking to 192.168.1.y
This question seems to come like every other day or something.. Pfsense is router, it routes between networks, and yeah it can firewall between network A and network B, or network A and all other networks.. But what it can not do is filter devices on network A from talking to devices on network A..
Have gone over this countless times.. I even went down to the mac level on why this is in a recent thread.
https://forum.netgate.com/post/1041343
If you want to control 192.168.1.x from talking to 192.168.1.y this can be done with what is called private vlans, at the switch level, or AP isolation or Client isolation on AP - this is control at layer 2. If you want to prevent a device from joining network A, and talking to other devices on network A.. Unless it meets specific criteria or auth or come compliance thing like its running a virus scanner or has updated virus list, etc. This is done via NAC..
Now pfsense can control say who it hands out dhcp too, via mac control. You could even prob setup some sort of auth via freerad running on pfsense with your switch for 802.1x control on your infrastructure. Or even maybe put a device on specific vlan - but your switches would need to support being able to do this via radius, etc.
From what you have described, especially with mention of virus scanner running, etc. This would be NAC..
-
@johnpoz Hi, really sorry - I've not been clear.
I have set up a pc with 2 network interfaces on my home network for testing purposes, with pfSense installed
The WAN interface is connected to my home network - on a 192.168.x.y address range
The LAN interface I have connected to a separate small switch and it is set on a 10.0.x.y range. The switch is NOT connected to my home network.
This is similar to what we would need in our office. The WAN interface would be connected to the main network and the LAN we would need to isolate and connect devices to this.
So in this scenario can we use the Captive Portal mac control to allow/deny network access to devices ? If yes, how do we set the default to deny unless a mac address is specifically in the list ? Or is it already set to deny by default ?
Thanks again and sorry for the confusion I've caused.
-
@jarweb yes that would be possible for sure
lan -- pfsense -- other networks.
Pfsense can for sure control lan devices from talking to other devices. But it can not prevent lan device A from talking to lan device B. And could control via mac address devices from getting an IP from dhcp server running on pfsense.
I suggest you read over
https://docs.netgate.com/pfsense/en/latest/captiveportal/index.html
dhcp mac address control
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#mac-address-control
-
@johnpoz Thank you
If I know it should work then I can do some more testing at home to make sure I know how to set the config and then hopefully replicate this in the office.
As I said this is just a stop-gap short term solution until we can get a proper review of the network.
Thanks
-
Yeah, pfSense cannot filter traffic between two devices on the same subnet because that traffic never goes through pfSense. It only passes the switch which is why you must filter it there if you need that.
Steve
-
@johnpoz said in pfSense as initial network filter:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html
Thank you John for sharing.