MAC Binding with IP in pfsense 2.0



  • Dear Experts,

    My users are changing their IP addresses at their desktops in College. I want to bind a IP with MAC Address of the machine. With this action, users will not get any benefit of changing it.

    Kindly guide me.

    Regards,

    Vj Thakur



  • dhcp static reservations and user privileges so low, that they can't change ip-addresses manually.



  • @Metu69salemi:

    dhcp static reservations and user privileges so low, that they can't change ip-addresses manually.

    Thanks for giving candle light. I was searching this facility for a long time. My users are student & wi-fi connected. It is not possible for me to make these setting on (Admin or Normal User Privileges). Kindly explain in detail or any URL.



  • Okay now it's time to ask, what benefit students get when they change ip-address



  • @Metu69salemi:

    Okay now it's time to ask, what benefit students get when they change ip-address

    The are stealing some IPs which are having all access facility.

    Using pfSense 2.0 RC



  • and you have no possibilities to use vlans or something else to this access handling?



  • @Metu69salemi:

    and you have no possibilities to use vlans or something else to this access handling?

    I have read in forum that VLAN is not possible in pfsense 2.0 RC without Layer 2/3 Switch. It is true or is there any possibility. If yes then how ?

    Thanks in advance.



  • vlan does require managed switches.
    Do you have multiple interfaces on that firewall itself?



  • @turiyain:

    I have read in forum that VLAN is not possible in pfsense 2.0 RC without Layer 2/3 Switch. It is true or is there any possibility. If yes then how ?

    That's true of every product in the world, VLANs require managed switches. You can't have any good control over your network without having managed switches anyway, if people are smart enough to change their IPs, they're almost certainly smart enough to change their IPs and MACs. It's impossible to prevent that with an unmanaged switch, and that has to be controlled at the switch level. Moving such things to VLANs is an absolute requirement to properly protect against that and other mischief, everything on the broadcast domain accessible by untrusted users has to be separate.



  • @Metu69salemi:

    vlan does require managed switches.
    Do you have multiple interfaces on that firewall itself?

    I have 1 NIC for LAN and 1 NIC for WAN only



  • Thanks for detailed information. In nutshell, I want to know that how can i make and use VLAN in pfSence. What will be the requirement. Kindly help me.

    @cmb:

    @turiyain:

    I have read in forum that VLAN is not possible in pfsense 2.0 RC without Layer 2/3 Switch. It is true or is there any possibility. If yes then how ?

    That's true of every product in the world, VLANs require managed switches. You can't have any good control over your network without having managed switches anyway, if people are smart enough to change their IPs, they're almost certainly smart enough to change their IPs and MACs. It's impossible to prevent that with an unmanaged switch, and that has to be controlled at the switch level. Moving such things to VLANs is an absolute requirement to properly protect against that and other mischief, everything on the broadcast domain accessible by untrusted users has to be separate.



  • Vlans can be added to pfsense via interface assign, but you can't use those securely without manageable dot1q capable switch



  • @Metu69salemi:

    Vlans can be added to pfsense via interface assign, but you can't use those securely without manageable dot1q capable switch

    How can i implement this in pfsense 2.0 RC 3. I have followed this steps:

    (1) Added VLAN
    (2) Assign Interfaces
    (3) Give IP pool to VLAN Interfaces.

    From Firewall LAN Port Cable inserted in 24 Port Switch. From switch my desktop is connected.  When i give i IP to a Desktop, it is pinging to its pool other system but not going to internet. and not ping to its pools gateway. Indicate where i am wrong.



  • Have you setted up vlans also in that switch?
    i didn't notice, that you've done firewall rules to allow access to internet or anywhere else



  • @Metu69salemi:

    Have you setted up vlans also in that switch?
    i didn't notice, that you've done firewall rules to allow access to internet or anywhere else

    Sorry, I have done all setup at firewall level. But i do not know how to do it at switch level. At switch level, things are not clear for me. What type of switch is required. Can i use a simple cheap switch for this testing.

    Kindly guide in detail.

    With Regards



  • unmanaged no way, managed only if it support IEEE802.1Q vlan tagging



  • @Metu69salemi:

    unmanaged no way, managed only if it support IEEE802.1Q vlan tagging

    Will you suggest me available cheap brands & Model of switch with having this facility.



  • I'm happy with my HP/Procurve 1700-8 (7x 10/100 ports, 1x10/100/1000 port). Other cheap VLAN capable switches I know of (but no experience with) are Mikrotik RB250GS (5 x 10/100/1000 ports), TP-Link TL-SL2210WEB (8 x 10/100 ports, 1 x 10/100/1000 port, 1 SPF port).


Log in to reply