Isolating / hiding IP addresses on LAN
-
Hello,
We are using PFSENSE 2.0 RELEASE version.
We are supplying internet access to offices in our building using PFSENSE. Its a NAT'ed network, which one public WAN ip address and 192.168.10.0/24 network on the LAN side.
We want to prevent ip addresses from being visible to each other on the network. The problem is sometimes that someone in an office will hook up their equipment incorrectly and thus introducing a ROGUE DHCP SERVER (by accident) on to the network. One time we had someone hook up a cable modem to the lan by plugging in the lan feed we give them to the cable modem thinking that is what they need to make it work (despite being given instructions on using a switch or plugging the network feed into the internet/wan port of their router). As a result of their work the internet DHCP server of the cable modem was giving out ip addresses that would cause any new connections to the network to get ip addresses in the 192.168.10.0/24 as assigned by the DHCP server in the cable modem.
We have several switches in place; so I would like to know what is the proper way to do this. I am guessing that the solution has something to do with VLANs. Any help would be appreciated!
This may not be a PFSENSE issue but if it is I'd like to know how.
Thank you,
Rizwan
-
"The problem is sometimes that someone in an office will hook up their equipment incorrectly and thus introducing a ROGUE DHCP SERVER"
Vlans is not going to rogue dhcp servers, there is one fool proof solution to "sometimes that someone in an office will hook up their equipment incorrectly"
Don't hire IDIOTS ;)
I am at a complete lost to why people would be bringing in routers to the office?
-
Some swithces has possibility of dhcp-snooping. just tell those switches trusted dhcp servers.
-
I am at a complete lost to why people would be bringing in routers to the office?
The reason is that they are provided a CAT5E RJ45 jack in their office. They can then connect it to a switch or a router if they prefer to firewall off their network.
-
"They can then connect it to a switch or a router if they prefer to firewall off their network."
Firewall off "their" network??? What kind of company is this?? And sorry switch does not firewall off anything ;)
-
And sorry switch does not firewall off anything ;)
I'm well aware of that, but managed switches may have function which blocks roque dhcp servers. you just determine valid dhcp-servers. Procurve & catalyst can handle dhcp snooping
-
Organizations large enough to have this problem (a small office doesn't count because the culprit can be found quickly enough) generally have policy against plugging network devices (routers, switches, APs) into the company network, and you have discovered one reason why that is.
So with such a policy in place, if you have the need to segregate a user or users from the main network then you would move them to their own vlan, which would prevent this user's devices from communicating with devices on the other vlans, except as permitted by the router or firewall.
-
Question..because it looks like the people replying in the forum may not understand the situation, or maybe I don't
"We are supplying internet access to offices in our building using PFSENSE."
Ok, when you say offices I think people are thinking that your company employees are located in multiple offices in the building.
The way I read this is that you are supplying multiple companies in your building with internet access. This would be why they are setting up routers for their offices. ;DSell them all a router that you would manage.
Could you setup a PPPoE Server on pfsense to authenticate the routers? Would this work? I am new to this so don't be harsh. -
Hello,
We are using PFSENSE 2.0 RELEASE version.
We are supplying internet access to offices in our building using PFSENSE. Its a NAT'ed network, which one public WAN ip address and 192.168.10.0/24 network on the LAN side.
We want to prevent ip addresses from being visible to each other on the network.
We have several switches in place; so I would like to know what is the proper way to do this. I am guessing that the solution has something to do with VLANs. Any help would be appreciated!
This may not be a PFSENSE issue but if it is I'd like to know how.
Thank you,
Rizwan
The fact that you want to prevent them from seeing each other means isolating each client office from another.
You'll need VLANs first of all.
Each VLAN should serve only 1 premise (office) and have it's own subnet.
You'll need to trunk the VLANs to your pfSense and you'll have multiple VLAN interfaces, each a LAN subnet of its own serving a specific office.This will allow you to quickly block problematic offices or unused offices simply by bringing down the vlan interface or blocking the associated subnet via firewall rules. Also, since each office has its own subnet, a broadcast storm on one subnet isn't going to affect the other offices.
-
It seems to me you are in a multi-tenant situation?
In this case I would put each tenant in their own VLAN with their own network. This is "best practice" for many other reason.
Then I would set out a clear policy and establish an hourly rate for network services which includes fixing any mistakes or other issues beyond your control.
