• dear all,

    i am pfsense running as ISP with client almost 90. the aproch i used is i made mac entry and ip and name for each client. that was working fine but now i realise that some persong using the service with static ip  with their devices.

    no i make alias and put rules to allow the valid one who are registered with us  and block other. but when i scan with software they are still there.

  • You can make an alias containing all the static-mapped IP addresses that are registered clients, then use that alias in a pass rule, and after that rule block everything else. That prevents the others from getting any internet access.

    But anyone can also set their IP address on their own device to anything they like - e.g. the IP address of of registered client. And they can also set their MAC address to match it. If the real client device is offline, then the other person gets access. If both are online then there will be confusion of a duplicate IP address.

    If customers have physical access to put their own devices on a shared broadcast domain of multiple customers, then they can do anything like this. You cannot stop them. And depending on how much of a hub-style, rather than switch-style, broadcast domain it is, they will be able to sniff traffic of other customers. Some of the offices in my company are connected to ISPs using metro-WiFi-type arrangements and actually our data is shared on their town WiFi with many others that we can see… Sometimes we use this for security training - showing our local IT support guys how insecure it all is, we can bounce around in the metro-WiFi broadcast domain looking for all sorts of stuff and could spoof someone else's MAC address and IP.

    To be properly secure, every customer needs effectively their own LAN (broadcast domain) - e.g. each ethernet port of a big switch is a separate VLAN with them all trunked to pfSense, or a "dialin-style" method so each customer actually makes a secure authenticated connection from their premises up to you. And so even though they might share the same broadcast domain to some extent, all their traffic is encrypted and thus customers cannot access each other's stuff.

  • you are trying to fix a layer2 problem by using a layer3+ solution …. this will never work very well.

    the solution you actually want involves dynamic vlans & 802.1x authentication. (see this juniper page for a short explanation: http://www.juniper.net/documentation/en_US/junos11.4/topics/concept/802-1x-pnac-dynamic-vlan-understanding.html )