Block network Access with correct Static IP

Norvik IT

Hi am new in pfsense and using 2.6.0, i am wondering if there is a way if a user puts in correct static IP on my network he or she should not access the network, sounds confusing but what i need to achieve if a user or device is not among my devices and someone by any chance knows the correct IP configuration and enters them i need him not to access my network. if i am not go by this it mean i have to use something else like macs to allow such user access, so it would be nice to block all unknown devices to my network

the other

Hey,
I might be completely wrong about this, but couldn't you just configure your dhcp, i.e. go to Services > DHCP Server > chose your Interface...there you put in the MAC of the known clients with wanted IPs...then chose Deny unkknown clients and the boxes below....
Should't that prevent unkonwn clients from a) getting an IP and b) therefore get access to LAN and Internet??

Of course, if someone REALLY wants to cause trouble and tries MAC spoofing...

Other solution: prevent ppl from accessing your switches /wall ports...
:)

Norvik IT

@the-other
thanks! does it apply where there is a fail-over?

the other

@norvik-it
Hey,
not quite sure what you mean by

@norvik-it said in Block network Access with correct Static IP:

thanks! does it apply where there is a fail-over?

??
:)

viragomann

@norvik-it
While you can add static mappings in DHCP server settings, it prevents only a user to get an IP from DHCP, but not from assigning a static IP to himself and get access to the network.

If you want to control access by MAC addresses you can to this with Services> Captive Portal on pfSense.

Norvik IT

@viragomann
thanks! what my intention is, even if a user knows the right IP configs and puts the correct IP he or she should not just get access to my network, i was trying to avoid using captive portal

Norvik IT

@norvik-it
NOTE, i am just not about denying access to "internet", because someone can not have access to internet but have access to the LAN and access resources on the network like Files shares, printers etc. i don't want someone to access any network related resource even if they put the correct configs. if it was internet alone i would go with captive portal,.

johnpoz

@norvik-it said in Block network Access with correct Static IP:

even if a user knows the right IP configs and puts the correct IP he or she should not just get access to my network

Pfsense can not do that.. Pfsense has nothing to do with device talking to other devices on the same network.

If you want to stop someone from plugging into a switch and setting an IP on their device and talking to that network. That is done on the switch. Now you could could leverage freeradius package on pfsense to use to auth via 802.1x but your switch needs to support it, etc.

https://en.wikipedia.org/wiki/IEEE_802.1X

stephenw10

You can use static ARP entries so even if someone enters a valid IP if will not work unless they also have the correct MAC. But I would not recommend doing that. It will almost certainly cause you far more trouble than it's worth!

johnpoz

@stephenw10 how would that work exactly? You would have to setup static arps for every IP that was possible.

And then when you wanted a new device with IP, you would have to remove / edit that static arp.. That would be a real PITA to manage..

Are you saying that if I just set say 10 static arps, no other other devices could talk to device B - that wouldn't work. You might keep this device from talking to pfsense. But could still talk to other devices on the network.

the only way I could see such a thing working would be to assign pfsense vip for every IP in the range that you were not actually using. So if device cam on and set an IP it would be duplicate of pfsense IP, etc..

I don't see how that would be a viable solution at all..

He is asking how to keep a device from talking to the network, not keeping it from talking to pfsense or the internet, etc.

even if a user knows the right IP configs and puts the correct IP he or she should not just get access to my network

edit: Good practice to make sure every switch port not in use is disabled. Also if your worried about someone unplugging device from the switch and plugging in.. You could look to port security on the switch, this locks to a mac, so some other mac can not use that port. Also users shouldn't really have access to switch ports anyway. They should be in a locked closet/room. While sure port security can help from someone unplugging a printer and using that port, but they could always change their mac to match what the printers mac was, etc.

802.1x is the way to make sure device auths before the switch lets it on the network. Devices that need network access and don't support 802.1x should be on an isolated vlan. So even say if someone unplugged a printer, changed their mac to the printer - all they could get access to is other printers on that printer vlan.

Pfsense is a router/firewall it can allow or block access between networks/vlans that it routes and firewalls. But it is not the end all get all for complete network security. Keeping devices off a specific L2 network is going to be done at the switch level with a NAC or PNAC (port network access control)

stephenw10

@johnpoz said in Block network Access with correct Static IP:

@stephenw10 how would that work exactly? You would have to setup static arps for every IP that was possible.
And then when you wanted a new device with IP, you would have to remove / edit that static arp.. That would be a real PITA to manage..

Yup. far more trouble than it's worth!

And, yes, it only does anything for traffic going through pfSense obviously.