Restrict IP to MAC Addresses



  • Hello All,

    I have already restricted unknown clients from getting IPs form pfsense. But there is one issue which I face. For example I have fixed IP for MAC Address aa:bb:cc:dd:00:11 to 1.1.1.1. Now the user can fix his own IP using any other IP available from the pool. As his MAC is already in the permitted list the user connects without any issue.

    I need a way, if possible, to restrict IP to MAC. There shouldn't be an option to change the IP from client side. I hope my question is clear.

    regards



  • @asifrajan:

    I need a way, if possible, to restrict IP to MAC. There shouldn't be an option to change the IP from client side. I hope my question is clear.

    Take a look on ipguard package.


  • Rebel Alliance Global Moderator

    "There shouldn't be an option to change the IP from client side."

    I agree, client should not have the rights on the machine to change its IP.  This is a client concern not a router/firewall thing.

    Lock down your client so that they can not change the IP.  What is the client OS?

    If your looking to prevent them from getting out if they do change it, then the ipguard package looks promising as already posted.



  • Ideally the client should not have the option. I agree. The client OS is Windows XP / Windows 7 and we do have Active Directory running. But, unfortunately due to the business nature, we have to give users the admin rights as few of them move to the client side where they require adding manual IPs and software developers need to install packages / updates on their PCs.

    I did install IPGuard but the service wont start. Amazingly it is also not showing any logs in System Logs section.



  • I had to block some users to access internet, so i added rules that only those few ip's(which were given static ip via dhcp) allowed to access internet.
    And if allowed users notified ip-conflict they gived a call..

    LAN: Allow from allowed_users_alias to any
    LAN: Block anything



  • Ah!

    It needed to define entries first before starting the service. It should work fine but I will need to define all of my clients (200 +) in ipguard. Is there any other way I can do that?



  • If you want to restrict all client ips, then you need to define all.

    But if you want to restrict only some clients, then take a look on sample configuration to add networks to ipguard config.

    att,
    Marcello Coutinho



  • Well I tried putting a couple and enabling the IPGuard service. All the rest of the network went down. No one was able to connect to the local network as well. I'll look at the sample config and get back. In the meanwhile, keep posting :)


Locked