0

I am running pfsense (v 1.2.3) embedded as my primary router. I would like to block all traffic from unknown hosts. I have the DHCP server set to give out leases only to certain pre-defined (based on MAC Address) hosts. What I would like to prevent is someone setting up a static ip on a machine and being able to use my system. Is it possible to prevent this, and if so, exactly how would I accomplish this? I realize they would have to be either physically connected, or have access to my wireless network, but I am trying to use the router as another level of security, plus I have some time restrictions for kids devices based on ip addresses, and I don't want them to be able to circumvent these just by assigning a static ip address.

Scott
  • 394
  • 2
  • 7
  • 18

3 Answers3

4

You can use the static ARP in the DHCP server and only allow defined hosts to get an IP. You'll want to use 2.0 if you go the full static ARP route, there were some issues recently found there in the stable release but it works fine in 2.0.

Chris Buechler
  • 2,938
  • 14
  • 18
  • Does the Static ARP prevent access to a machine that has set a static ip address? How stable is 2.0? How big of a deal is it to upgrade? I am running on Netgate embedded router (ALIX.2D3 500 MHZ, 2 GB CF). – Scott Aug 19 '10 at 11:11
  • So here is my question regarding Static ARP. I have a host (host_01) which has a given MAC address an entry for a static lease at 192.168.1.199, I institute Static ARP, allowing only known MAC addresses to communicate with the router. My little genius, gives his machine (host_01) a static ip address through the OS on that machine, with an ip Address of 192.168.1.44 will the router allow traffic from this host with a different ip address? If so, he can affectively circumvent my time restrictions. – Scott Aug 19 '10 at 16:59
2

pfSense can do MAC filtering, and for the kid's machines I'd just filter on MAC address if you're worried they'll mess with the IPs to bypass outbound filtering. Just make sure you don't have another NATed router between the pfSense box and the clients.

"Enable Static ARP entries" on the config page will let you list only the MACs you want to access the router on the given interface -- this should keep unknown/unwanted users off.

nedm
  • 5,610
  • 5
  • 30
  • 52
  • I'm sorry if I'm missing something obvious, but I cannot seem to see an option to filter on MAC address - is this in the firewall rules? I also cannot find "Enable Static ARP entries" – Scott Aug 19 '10 at 11:17
  • If you're using 1.2.3 it should be under "services" > "DHCP Server" > "Static ARP" and then there's a check box for "Enable Static ARP Entries" that will let you add MAC addresses allowed to get an IP. – nedm Aug 19 '10 at 16:08
  • 2
    The second way to do this would be to enable the captive portal, add the MACs you want to allow to the "Pass-through MAC" tab under the captive portal setup page, and then set the portal to use local authentication using a username and password you create but don't share. Only MACs on the Pass-through list are allowed to avoid the captive portal, so they won't get blocked by it. – nedm Aug 19 '10 at 16:12
  • Lastly, if @Chris B suggests that you upgrade to 2.0 to use this functionality, I'll suggest that you defer to his wisdom -- he ought to know since it's his baby! And 2.0 is very stable -- Chris, any guess on when it will be officially released? – nedm Aug 19 '10 at 16:15
  • Ned - thanks for all the replies - I guess I'll look into 2.0. It seems, however, that I cannot do exactly what I want to do, which is to prevent traffic from unknown hosts. – Scott Aug 19 '10 at 16:36
0

This just occurred to me, and I'd appreciate feedback on the merits of this idea:

Put a rule in to block all outgoing traffic on my LAN. Then put in rules to allow traffic from known hosts (based on their ip address) and give the allow rules higher priority. Then the only way someone could get out to the internet with a static ip, would be to set the static ip to an already used ip and that would cause problems. I could move my ip addresses around a bit so that I can create rules for a /28 and a /29, thus minimizing the number of rules required to allow traffic. - Thoughts?

Scott
  • 394
  • 2
  • 7
  • 18
  • This assumes the static IP clients are always on -- when they're turned off someone could theoretically use that IP on another host without causing probelms. This is probably a remote possibility at best but for blocking unknown hosts I think one of the methods of limiting connections to known MACs is going to be a better way to go. Your little genius is another problem entirely. :) – nedm Aug 19 '10 at 17:51