Preventing LAN access to new client unless authenticated on pfsense captive port



  • Hi
    I have recently got a new and very annoying problem.
    I have a captive portal setup which allows new users to access internet after authentication thru captive portal. In essence the portal is working as it should.
    BUT…the problem is that if a certain somone plugged into my network is there to scan local machines siphone information from ftp smb server on my lan... this is presenting to be a problem as even though they cant waste my bandwidth they are stealing my information.

    Is there anyway to put these new connectees in sort of a sandbox until they are validated thru the captive portal?

    I understand that its almost impossible to restrict communication between lan clients so i am looking for some new out of the box solution here.

    Thanks



  • tighten your network security, portal will always follow what is on top of him, meaning if there's no layer to filter information after the portal that will be useless.



  • @m4st3rc1p0:

    tighten your network security, portal will always follow what is on top of him, meaning if there's no layer to filter information after the portal that will be useless.

    I didn't understand a thing…very vague, can you please explain.


  • LAYER 8 Netgate

    You're talking about layer 2 isolation on the network segment prior to pfSense (and its captive portal) being involved.

    Look at Asymmetric VLANs, Private VLAN Edge (protected ports), and Private VLANs.  This is more a function of your switch than your gateway/router.

    Now if you want layer 2 isolated/blocked before authentication and allowed after, you need to look at 802.1x and dynamic VLANs.  Again, not a function of your Gateway/Router/pfSense/Captive Portal.



  • @Derelict:

    You're talking about layer 2 isolation on the network segment prior to pfSense (and its captive portal) being involved.

    Look at Asymmetric VLANs, Private VLAN Edge (protected ports), and Private VLANs.  This is more a function of your switch than your gateway/router.

    Now if you want layer 2 isolated/blocked before authentication and allowed after, you need to look at 802.1x and dynamic VLANs.  Again, not a function of your Gateway/Router/pfSense/Captive Portal.

    ohh thanks now I understand…so basically I put captive portal on a diff vlan and then merge at pfbox once authenticated.


  • LAYER 8 Netgate

    Not really.

    It sounds like you want to prevent people from having access to your LAN assets until they are authenticated.  Captive portal doesn't do that.  802.1X does.

    If you want pfSense/captive portal to do it, you have to place the protected assets on one pfSense interface (LAN segment) and the users on another and control access with firewall rules on the interface to which the users connect.

    If they must be on the same LAN segment, pfSense can't help.  You have to use a managed switch and something such as 802.1x to control access at layer 2.



  • @Derelict:

    Not really.

    It sounds like you want to prevent people from having access to your LAN assets until they are authenticated.  Captive portal doesn't do that.  802.1X does.

    If you want pfSense/captive portal to do it, you have to place the protected assets on one pfSense interface (LAN segment) and the users on another and control access with firewall rules on the interface to which the users connect.

    If they must be on the same LAN segment, pfSense can't help.  You have to use a managed switch and something such as 802.1x to control access at layer 2.

    Many thanks for your answer and very sorry to reply very very late.

    I have finally managed to setup captive portal,
    I must mentioned that it was with use of 802.1x and  separate interfaces.
    I tried Vlan approach on on pfsense's Lan interface but that was really taxing on my box.

    thanks


Log in to reply