How to isolate DHCP clients



  • Hello - I'm trying to figure out the best way to separate DHCP clients from non-DHCP clients on a network.  I have 1 WAN and 1 LAN at this point.  What are my options?  Thanks in advance.



  • add another interface and disable the DHCP server on it. then use firewall rules to separate them



  • Hmm, that's what I suspected.  I was hoping there was some way to do this without adding another NIC.  I'm guessing I could do this with VLANs as I do have a managed switch, but I'm not sure I want to go down that route right now.

    Thanks!



  • your interfaces on pfsense need to be VLAN compatible. You could also do untagged (clients are unaware of the VLAN) VLANs with the switch, depending on its capabilities, you could have half the ports for dhcp clients and the other half for static and segregate them with the switch. then set a firewall rule to not allow one subnet (aliases) to talk to the other.



  • One more related question: If I want to move a DHCP client from one network to another (i.e. from the "isolated" network on LAN 2 to the "main" network on LAN 1, can I simply statically assign that client (using the pfsense DHCP leases section) an IP address on the "main" network?



  • depends on your switch, if not you just plug it into a port on that network that you want it on.



  • @rsn:

    One more related question: If I want to move a DHCP client from one network to another (i.e. from the "isolated" network on LAN 2 to the "main" network on LAN 1, can I simply statically assign that client (using the pfsense DHCP leases section) an IP address on the "main" network?  
    @XIII:

    depends on your switch, if not you just plug it into a port on that network that you want it on.

    My question was assuming I was not using a VLAN, rather two NICs.  Sorry for the confusion.

    I'm wondering if pfsense will allow this type of an assignment.



  • you mean if you have a total of 3 nics, wan,lan and opt1/lan2?
    yes, i currently do this.
    just disable the dhcp server on the nic you have static ips assigned on. do a firewall rule to separate them.



  • Yes, 3 NICs.  So pfsense will allow me to take a client that has been assigned an IP address by LAN2 and statically assign it an IP on LAN via the DHCP leases static assignment tool?



  • no. networks must be different. cant have 192.168.0.1 on both nics
    AFAIK you can not give LAN2 an IP from LAN1 unless they are on the same network by default you would have to disable the anti spoof feature to do this.



  • I think there is still a bit of confusion over my question, or perhaps I don't totally understand the reply.

    Let me provide an example:

    WAN xx.xx.xx.xx
    LAN: 192.168.1.0 <- NO DHCP
    LAN2: 192.168.50.0 <- DHCP server running

    laptop1 is a DHCP client and is assigned 192.168.50.24 by the DHCP server running on LAN2.  I determine that I want to move laptop1 to the LAN network without manually entering in the new IP info on the laptop1 machine itself.  So, I would like to go into the DHCP leases portion of the pfsense UI, click the "statically assign" button, and assign it an IP address of 192.168.1.102 (which happens to be on the LAN network).  Is this possible?  If not, how can I make this workflow happen?



  • yes it is.
    I guess I just didnt fully understand the question Sorry about that.



  • No problem.  I should have provided the example in my first post.

    Thanks for the input!



  • If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.



  • @kpa:

    If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.

    yea that is true, forgot about that, I usually assign statics via DHCP, I got confused again. Today is just not my day, at least it is Friday though.

    What you would do is enable the DHCP server with a range of the number of devices you would assign static IPs to, that way authorized devices get an ip via DHCP and unauthorized devices cant as there is not any available.

    example:
    192.168.1.0 with dhcp range of: 192.168.1.2-.15, statically assign those 14 ips to devices and then when a device connects to that network they cant get an ip as all the ips are used up via  a static mapping. unless of course they spoof the mac of a statically assigned device then they will get that ip.



  • @XIII:

    @kpa:

    If there's no DHCP server running on LAN interface then there can't be any address assignments happening for hosts on LAN by pfSense, you'll have to assign IP address/gateway/dns settings manually on the client.

    yea that is true, forgot about that, I usually assign statics via DHCP, I got confused again. Today is just not my day, at least it is Friday though.

    What you would do is enable the DHCP server with a range of the number of devices you would assign static IPs to, that way authorized devices get an ip via DHCP and unauthorized devices cant as there is not any available.

    example:
    192.168.1.0 with dhcp range of: 192.168.1.2-.15, statically assign those 14 ips to devices and then when a device connects to that network they cant get an ip as all the ips are used up via  a static mapping. unless of course they spoof the mac of a statically assigned device then they will get that ip.

    Do you mean assign these 14 IPs as static via DHCP or manually on the client?  Even if this is what you mean, then this does not really solve my problem.  I really want all of my devices/hosts to receive IPs via DHCP.  However, I want those assigned address via DHCP to be isolated from devices that I have "flagged".  In other words, I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.  I also don't want my "house network" machines to be DHCP clients, as some of them are mobile devices (in other words they may connect to networks in other physical locations and I don't want to have to continually disable and enable DHCP on these clients.  You see what I mean?  There must be some way to make this happen - I just don't know how.



  • @rsn:

    I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.

    Then you need physically separate networks OR a VLAN capable switch with the two groups of devices on separate VLANS.



  • @wallabybob:

    @rsn:

    I don't want any device that is assigned an address via DHCP (such as house guests) to be able to even see any machine on my house network unless I "move them over" to the house network.

    Then you need physically separate networks OR a VLAN capable switch with the two groups of devices on separate VLANS.

    KPA has already said that I cannot "move clients over" from one network to another if the 2nd network is not running  a DHCP server.  That is the problem I am trying to overcome here.



  • rsn, please re-read wallabybob's answer.  Yes, you need a DHCP server on both networks, but to separate your 2 networks you have to make them 2 separate networks, either physically or by using VLANs.



  • Physically separate them as in put them on different switches and not connect the two switches together?  If that isn't done then won't having two DHCP servers cause problems?  If that IS done then this presents a lot of new challenges.



  • you can have more than 1 dhcp server per network, problems arise if they are not aware of eachother or they are configured to give the same ip address range. Each interface is on a different address scheme and different physical network, so it will be fine. it is seen as 1 dhcp server per network. unless you add rules specifically allow it, each network is unaware of the other. Just physically seperate the networks as you mentioned and enable the dhcp server on each one, and for the one you want static do the static mappings i mentioned previously.



  • @XIII:

    you can have more than 1 dhcp server per network, problems arise if they are not aware of eachother or they are configured to give the same ip address range. Each interface is on a different address scheme and different physical network, so it will be fine. it is seen as 1 dhcp server per network. unless you add rules specifically allow it, each network is unaware of the other. Just physically seperate the networks as you mentioned and enable the dhcp server on each one, and for the one you want static do the static mappings i mentioned previously.

    Just want to be clear: do I actually need to separate the networks by putting them on different switches that are not connected to each other?



  • I'll elaborate on some of the previous replies.

    You have a number of computers you want to be able to access the internet through a pfSense box. The computers fall into two categories: a "trusted" group and an "untrusted" group. For the sake of illustration we'll say you want to deny access to the trusted group from the untrusted group and deny access to the untrusted group from the trusted group.

    Configure all computers to get their IP address, default gateway and DNS by DHCP.

    Connect all the "trusted" computers to the LAN port of a pfSense box through a switch. On pfSense configure the LAN interface with an IP address in the private IP address range (e.g. 192.168.11.0/24). Enable DHCP on the LAN interface, giving DHCP a subset of the addresses in the LAN network (192.168.11.0/24).

    On pfSense configure OPT1 with a private IP address (say 192.168.21.1/24). Enable DHCP on OPT1 giving DHCP a subset of the addresses in the OPT1 network (192.168.21.0/24).

    To deny access from LAN to OPT1 add a firewall rule to the LAN interface to block access to the OPT1 network (destination address in 192.168.21.0/24) but specify OPT1 network rather than IP address and network mask so if you change OPT1's IP address or netmask the rule will automatically adapt (restart might be required).

    To deny access from OPT1 to LAN add a firewall rule to the OPT1 interface to block access to the LAN network.

    By default LAN will have firewall rules to allow access to the internet but OPT1 won't so you will need to add firewall rules to OPT1 to allow internet access. If you take all your private IP address from the 192.168.0.0/16 bank you could use a firewall rule to allow access to destination IP address NOT 192.168.0.0/16.

    Connect a switch to LAN and a switch to OPT1, connect "trusted" computers to switch connected to LAN and "untrusted" computers  to switch connected to OPT1 and you should be all ready to go.

    @rsn:

    Just want to be clear: do I actually need to separate the networks by putting them on different switches that are not connected to each other?

    Despite a number of respondents advising you that you need to separate the networks you seem to want to connect the switches together. Maybe we are missing something about your requirements or you don't understand something about the way things work. Here's why you shouldn't connect the switches together if you want to keep the networks invisible to each other: Some network services involve the use of broadcast packets. Switches have to forward broadcast packets to all ports. If you connect the two switches together then all computers will see all broadcast packets hence a computer can discover at least the MAC address of computers on the other switch.

    As suggested in a number of earlier replies, if you have a VLAN capable switch and at least one VLAN capable NIC on your pfSense box then you can have one physical switch (instead of two) provided the switch is appropriately configured.

    You mentioned a requirement to be able to move computers between the groups. If you have two physical switches you move a computer from one group to another by changing the switch it is connected to. (Maybe it would be useful to have a patch panel.) On a VLAN capable switch you can move computers between groups by changing the VLAN the corresponding port belongs to.



  • @wallabybob:

    I'll elaborate on some of the previous replies.

    You have a number of computers you want to be able to access the internet through a pfSense box. The computers fall into two categories: a "trusted" group and an "untrusted" group. For the sake of illustration we'll say you want to deny access to the trusted group from the untrusted group and deny access to the untrusted group from the trusted group.

    Configure all computers to get their IP address, default gateway and DNS by DHCP.

    Connect all the "trusted" computers to the LAN port of a pfSense box through a switch. On pfSense configure the LAN interface with an IP address in the private IP address range (e.g. 192.168.11.0/24). Enable DHCP on the LAN interface, giving DHCP a subset of the addresses in the LAN network (192.168.11.0/24).

    On pfSense configure OPT1 with a private IP address (say 192.168.21.1/24). Enable DHCP on OPT1 giving DHCP a subset of the addresses in the OPT1 network (192.168.21.0/24).

    To deny access from LAN to OPT1 add a firewall rule to the LAN interface to block access to the OPT1 network (destination address in 192.168.21.0/24) but specify OPT1 network rather than IP address and network mask so if you change OPT1's IP address or netmask the rule will automatically adapt (restart might be required).

    To deny access from OPT1 to LAN add a firewall rule to the OPT1 interface to block access to the LAN network.

    By default LAN will have firewall rules to allow access to the internet but OPT1 won't so you will need to add firewall rules to OPT1 to allow internet access. If you take all your private IP address from the 192.168.0.0/16 bank you could use a firewall rule to allow access to destination IP address NOT 192.168.0.0/16.

    Connect a switch to LAN and a switch to OPT1, connect "trusted" computers to switch connected to LAN and "untrusted" computers  to switch connected to OPT1 and you should be all ready to go.

    @rsn:

    Just want to be clear: do I actually need to separate the networks by putting them on different switches that are not connected to each other?

    Despite a number of respondents advising you that you need to separate the networks you seem to want to connect the switches together. Maybe we are missing something about your requirements or you don't understand something about the way things work. Here's why you shouldn't connect the switches together if you want to keep the networks invisible to each other: Some network services involve the use of broadcast packets. Switches have to forward broadcast packets to all ports. If you connect the two switches together then all computers will see all broadcast packets hence a computer can discover at least the MAC address of computers on the other switch.

    As suggested in a number of earlier replies, if you have a VLAN capable switch and at least one VLAN capable NIC on your pfSense box then you can have one physical switch (instead of two) provided the switch is appropriately configured.

    You mentioned a requirement to be able to move computers between the groups. If you have two physical switches you move a computer from one group to another by changing the switch it is connected to. (Maybe it would be useful to have a patch panel.) On a VLAN capable switch you can move computers between groups by changing the VLAN the corresponding port belongs to.

    Thanks for this info.  Requiring that each network run on a separate, isolated switch (or separate VLANs on the same switch) is not ideal and is a bit confining.  I do have a patch panel, but there is not necessarily a 1:1 ratio between patch panel ports and devices.  So, this will work fine is there is a 1:1 ratio or if all devices represented by a particular patch panel port are in one group or the other ("untrusted" or "trusted").  This is not necessarily the case though.  I was really hoping that there was another way to do this without having to be conscious of what port a particular device is plugged in to.

    I'd also like to mention that I am aware of the broadcast packets you speak of: ARP packets.  I guess I'm hoping there is some way to restrict these packets to one network or another without physically separating them.



  • @rsn:

    Requiring that each network run on a separate, isolated switch (or separate VLANs on the same switch) is not ideal and is a bit confining.

    There are some things in life that you have to be prepared to endure the pain if you are serious about getting them. In your case, if you are not prepared to "pay the pain" of separated isolated switches then you will have to put up with your networks seeing each other.

    @rsn:

    I do have a patch panel, but there is not necessarily a 1:1 ratio between patch panel ports and devices.  So, this will work fine is there is a 1:1 ratio or if all devices represented by a particular patch panel port are in one group or the other ("untrusted" or "trusted").

    Please explain. You have switches downstream of the patch panel and some ports on a particular switch are connected to a computer in the "trusted" group and other ports on the same switch are connected to computers in the "untrusted" group?

    @rsn:

    I'd also like to mention that I am aware of the broadcast packets you speak of: ARP packets.  I guess I'm hoping there is some way to restrict these packets to one network or another without physically separating them.

    Its not just ARP; DHCP is another protocol using broadcast packets. I suspect there are other protocols in common use requiring either broadcast or multicast packets.



  • @rsn:

    I guess I'm hoping there is some way to restrict these packets to one network or another without physically separating them.

    There are only 2 ways - physical separation and VLANs (as has been said already).

    As wallabybob said, you've really got 2 choices here.  The first is to have a flat network and accept that your trusted and untrusted systems can see each other, or have 2 separate networks and the administration overhead that comes with it.  VLAN capable switches that can be centrally managed may be more expensive, but will be easier to manage by far.



  • I don't know the scale of the problem: for example is this for a "large" research lab that just got an "intelligence" contract and now has to "do something" about security or is it to protect the computers of the rest of the family from grandma's laptop (which has proved to be something of a virus magnet) when she comes to visit and plugs it into any RJ45 socket in the house that seems good at the time.

    The details of the requirements seem to be gradually unfolding. Lets see if I can flush out a few more.

    Here's a couple of other ideas to consider:

    1. Disconnect the cables (apart from cables to sockets you can physically secure or are always "insecure") and require the mixed cases to use encrypted wireless with multiple wireless networks (at least "trusted" and "untrusted").

    2. Use VPNs (Virtual Private Networks) on the cable. The VPN encryption isolates the "networks".

    If either of these are ideas could be useful (and I can think of a number of reasons why they might be "less than ideal") then I think you would probably need to provide further information along the lines of the number of computers involved, frequency at which computers change from "trusted" to "non trusted" (and vice versa), distances between computers, intervening materials, bandwidth involved, communication patterns, budget etc because neither of these ideas would scale as well as the other "less than ideal" proposals on the table.

    Some more questions: what makes a computer "trusted" or "untrusted"? Location ("untrusted" in an insecure area because someone passing by could see "sensitive" information on the screen)? the computer's function ("we don't trust the computers controlling the dishwashers because the software comes from North Korea")? the computer's user ("Grandma has an uncanny knack of downloading the most active and vicious viruses")?  something else? And what causes a computer to change from "trusted" to "untrusted" or "untrusted" to "trusted"?

    I've been a bit light hearted here partly because I confess a growing suspicion that making minimal changes is a higher priority than implementing any genuine network isolation and if that is the case I'm probably not very effectively using my time if I make any further contributions to this topic. My apologies if that suspicion is unjust.


Log in to reply