Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On Wed, Mar 02, 2011 at 08:22:12AM -0500, Andy Graybeal wrote: > Ah.. I don't have a managed switch. I have an HP 1400-24G (j9078a). > Thank you for this information, it gives me something to consider. I've > always wanted a managed switch. In case you're shopping for one, I'll repeat my recent recommendation: I just got a HP V1910-24G (formerly 3Com 3CRBSG2893), and while it's not fanless as HP 1810-24G it is a remarkably powerful switch for a mere ~200 EUR (sans VAT) -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On 03/01/2011 08:47 PM, Daniel Davis wrote: Andy, 802.1x with MAC authentication bypass is probably what you are looking for. Nearly all managed switches these days have support for 802.1x. This way the device is authenticated at the switch-port, if it is not an allowed device the switch will deny the device access (or you could set the switch to give unknown users access to a guest VLAN). Once set up it is no harder to administer than maintaining you DHCP reservations list (Once you have it set up I would recommend removing DHCP reservations where they are not needed, this way you only need to maintain one list of MAC addresses). Regards, Daniel Ah.. I don't have a managed switch. I have an HP 1400-24G (j9078a). Thank you for this information, it gives me something to consider. I've always wanted a managed switch. Andy -Original Message- From: Andy Graybeal [mailto:andy.grayb...@casanueva.com] Sent: Wednesday, 2 March 2011 9:10 AM To: support@pfsense.com; t...@casanueva.com Subject: [pfSense Support] Only allow DHCP assigned addresses access to network Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
On 03/01/2011 06:49 PM, Cole Devitt wrote: If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. Cole, forgive me if I'm mis-understanding, but I'm pretty sure I understand what your saying. The client isn't asking for an IP address. They are manually (statically assigning) typing in an IP address into their computer and getting onto the network this way. I'm sorry I didn't explain that very well in my original email. -Andy On Mar 1, 2011, at 5:40 PM, "Andy Graybeal" wrote: Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Only allow DHCP assigned addresses access to network
Andy, 802.1x with MAC authentication bypass is probably what you are looking for. Nearly all managed switches these days have support for 802.1x. This way the device is authenticated at the switch-port, if it is not an allowed device the switch will deny the device access (or you could set the switch to give unknown users access to a guest VLAN). Once set up it is no harder to administer than maintaining you DHCP reservations list (Once you have it set up I would recommend removing DHCP reservations where they are not needed, this way you only need to maintain one list of MAC addresses). Regards, Daniel -Original Message- From: Andy Graybeal [mailto:andy.grayb...@casanueva.com] Sent: Wednesday, 2 March 2011 9:10 AM To: support@pfsense.com; t...@casanueva.com Subject: [pfSense Support] Only allow DHCP assigned addresses access to network Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Only allow DHCP assigned addresses access to network
Hi, you can only restrict the access/traffic to services provided and managed by pfSense. But there might be another possibility like using snort package, activating it on the LAN side and permit only the traffic from the IP’s that you allow. I think this can be done, but certainly needs further investigation to confirm this possibility. Carlos From: kohenk...@gmail.com [mailto:kohenk...@gmail.com] On Behalf Of Moshe Katz Sent: quarta-feira, 2 de Março de 2011 00:20 To: support@pfsense.com Cc: Cole Devitt; t...@casanueva.com Subject: Re: [pfSense Support] Only allow DHCP assigned addresses access to network I think Andy means, "how do I stop people who set a static IP on the same subnet as my network from getting on the network?" The short answer is that you can't do that easily. Internal network traffic does not pass through the pfSense and cannot be stopped by it. You may be able to prevent internet access (or access to other network segments) by programmatically creating an alias built from the DHCP client table. I don't know how easy that is in practice but that is what I might do. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Tue, Mar 1, 2011 at 6:49 PM, Cole Devitt wrote: If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. On Mar 1, 2011, at 5:40 PM, "Andy Graybeal" wrote: > Hi, > I would like every machine on my network to get it's address from > PFSense's DHCP server. > > If it doesn't receive an address from the DHCP server (if they pick some > arbitrary address on the same subnet) how do I dis-allow them access to > network services? > > Does this make any sense to do this? Does this make sense to not do this? > > -Andy > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
I think Andy means, "how do I stop people who set a static IP on the same subnet as my network from getting on the network?" The short answer is that you can't do that easily. Internal network traffic does not pass through the pfSense and cannot be stopped by it. You may be able to prevent internet access (or access to other network segments) by programmatically creating an alias built from the DHCP client table. I don't know how easy that is in practice but that is what I might do. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Tue, Mar 1, 2011 at 6:49 PM, Cole Devitt wrote: > If a computer doesn't pick up a DHCP address I believe it gets an APIPA > address, a 169.192 address if I recall right. With an apipa address the > computer wouldn't be able to do much of anything anyways as the subnet is > different and there isnt a gateway to my knowledge, so a standard setup of a > DHCP server and client machines sounds like what you want no? > > If a computer isn't receiving a DHCP address from your pfsense then you > have a configuration issue, or your scope is too small (not set to give out > enough addresses), or there is a physical problem somewhere in your network. > > On Mar 1, 2011, at 5:40 PM, "Andy Graybeal" > wrote: > > > Hi, > > I would like every machine on my network to get it's address from > > PFSense's DHCP server. > > > > If it doesn't receive an address from the DHCP server (if they pick some > > arbitrary address on the same subnet) how do I dis-allow them access to > > network services? > > > > Does this make any sense to do this? Does this make sense to not do > this? > > > > -Andy > > > > - > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > > For additional commands, e-mail: support-h...@pfsense.com > > > > Commercial support available - https://portal.pfsense.org > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. On Mar 1, 2011, at 5:40 PM, "Andy Graybeal" wrote: > Hi, > I would like every machine on my network to get it's address from > PFSense's DHCP server. > > If it doesn't receive an address from the DHCP server (if they pick some > arbitrary address on the same subnet) how do I dis-allow them access to > network services? > > Does this make any sense to do this? Does this make sense to not do this? > > -Andy > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Only allow DHCP assigned addresses access to network
Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org