• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Different Firewall rules for specific wireless users

Scheduled Pinned Locked Moved Firewalling
5 Posts 2 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Q
    qwaven
    last edited by Oct 15, 2013, 4:32 PM

    Hey all,

    Wondering if anyone has any options for me? :) I'm running PFSense 2.0.3 (plan to update to 2.1 at some point, not sure if that would matter for this)

    I have a firewall w/ NAT enabled and a few interfaces devoted to different networks. For the main wired lan and wireless lan by default I block any communication between them. I have a few wireless hosts that I would like to allow through to the wired lan.

    I realize I can create DHCP leases and statically assign an IP to allow through the firewall. To me this is risky as anyone could therectically manually set their IP to the "special" IP and gain access through.

    MAC filtering seems a bit more secure to me, however I have not found any way of adding a firewall rule to filter based on MAC address.

    So anyone have any suggestions for allowing a few hosts through, while still maintaining a user friendly approach?

    Thanks for your help!

    Cheers :)

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Oct 15, 2013, 9:39 PM Oct 15, 2013, 9:35 PM

      "MAC filtering seems a bit more secure to me"

      And why can they not change there mac – can be changed just like an IP can..

      If your really paranoid - setup staticarp.  Or install the ipguard package http://ipguard.deep.perm.ru/

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • Q
        qwaven
        last edited by Oct 16, 2013, 12:08 AM

        @johnpoz:

        "MAC filtering seems a bit more secure to me"

        And why can they not change there mac – can be changed just like an IP can..

        Thanks for your response. Yes It's true MAC addresses can be changed. However its far easier to guess an IP address over a MAC address. "…a bit more secure to me"

        The solutions you listed seem to rely on knowing all devices on the network in order to populate static arp...etc. I'm looking for something a little less administratively intense. :)

        If Static Arp were able to be used just to map particular IP-MAC combo's than I believe it would be ok but as I understand when enabled it will deny anything not listed in the static arp table.

         Note: Only the machines listed below will be able to communicate with the firewall on this NIC.  
        

        Thanks!

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Oct 16, 2013, 1:04 AM

          And when are they guessing these IPs?  Are these IPs that have access not online when the users that are going guess the ones that have access thru the firewall?

          Who are these users that are setting static IPs on their computer?  Are these just random public users?  Or is this a place of work? home?  What makes up the wireless population of users?  Have you talked to users?  99% of them don't know what an IP is - but your worried they are going to "guess" the ones that are open to your wired network.

          And then the ones smart enough to figure out what IP addresses are allowed through - those would be the ones that would also be smart enough to know how to change their macs ;)

          What is it your allowing these boxes to access once they guess the correct IP the firewall allows..  Won't they also need to know what dst IP and service that is allowed? Or are you opening up these IPs to any any to your wired network?

          Are these resources on the wired network not secured by auth as well?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • Q
            qwaven
            last edited by Oct 16, 2013, 8:30 PM

            Hi Johnpoz,

            And when are they guessing these IPs?  Are these IPs that have access not online when the users that are going guess the ones that have access thru the firewall?

            They could or could not be online, not sure it really matters.

            Who are these users that are setting static IPs on their computer? …

            They are members of the wireless network, or possibly someone who has gained access without authorization. The latter being of more concern.

            And then the ones smart enough to figure out what IP addresses are allowed through - those would be the ones that would also be smart enough to know how to change their macs

            Not necessarily, however lets assume its a class C address block, 254 Usable IPs. Far easier to scan or whatever 254 IP's than guess a particular 48-bit MAC address from some 281,474,976,710,656 possibilities.

            What is it your allowing these boxes to access once they guess the correct IP the firewall allows..  Won't they also need to know what dst IP and service that is allowed? Or are you opening up these IPs to any any to your wired network?

            Are these resources on the wired network not secured by auth as well?

            The destinations and sources are still restricted by standard policies.

            Anyway if its not possible to do anything more restrictive than IP based policy so be it.  I've toyed with the idea of having a separate vlan w/ static arp as suggested or implementing an internal remote access vpn between networks.

            Thanks for your help.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received