Block client with wrong ip



  • Hi
    I have a pfSense box with 2 WANs & 2 LANs. I also have a separate DHCP Server on my network.
    I'd like to filter my internal nodes based on MAC Addresses so no one can access the Internet by changing the IP address.
    I know that with the enabling of Static ARP in pfSense DHCP Server settings, I can assign each IP Address to a specific MAC Address.
    But the problem is I have to enable the DHCP Server in pfSense. Now I want to enable the DHCP server in pfSense on LAN 2, and set up a rule to block all the DHCP requests from LAN 2(or block the answers form pfSense DHCP server on LAN2) .
    If I can do this, only the IP addresses which were assigned to a MAC address and were manually registered in pfSense can have access to the internet, and the other DHCP server on the network can assign the defined ip addresses to the specified MAC addresses according to the settings it already has.
    I have tested a couple of rules but wasn't successful. Does anybody know how and where can I setup this rule to maximize the effect?

    Thanks  :)

    P.S. I Know about squid+squidguard or captive portal but I think my solution needs less maitenance and has better preformance.



  • mac addresses can be spoffed/changed too and it's quite easy to do this.

    one extra 'protection' may be static arp entries on pfsense to fix mac -> ip.



  • @marcelloc:

    mac addresses can be spoffed/changed too and it's quite easy to do this.

    one extra 'protection' may be static arp entries on pfsense to fix mac -> ip.

    I know about arp spoofing, but my users don't. ;-)

    Enableing "Static ARP" on pfsense "DHCP Server" is exactly what I want, but the problem is that I should turn on pfsense dhcp server while i have another dhcp server on my network.
    i want  pfsense dhcp server to be on so I can enable static arp feature, but in the meantime block any dhcp request from lan to pfsense . (or block answers)

    I believe the long description in the first post made it difficult to read ;-)
    Anyway thanks for your attention.


Locked