pfSense (or other dedicated router) questions

[Nullity]

That works for IPv4. It doesn't work for IPv6. With IPv6, many OS's ignore DHCPv6, and others accept the configuration and IP, but use a different IP for outgoing traffic (for "security" reasons.)

Does his device need any IPv6 access?

Do any of your devices need IPv6 access?


Personally, I block it (or leave it disabled) since my ISP does not support it.

 

[Nullity]

Does your AP support guest networks on timers? If so, put his device on it's own SSID that runs on a timer.

 

[sfx2000]

How can I use my managed switch to accomplish this?

While I asked to step back a bit - a managed switch does have some ACL capabilities, but we're getting ahead of ourselves - but some will run straight into the fire...

Consider that IPv4/IPv6 is routed - if you want to manage MAC layer stuff, the switch is a good place to start, but that's a bit of a complicated space depending on the switch vendor - it's an all/nothing thing there, unless there are some hooks back to the upper layers - some switches have features that others don't... my switch is dependent on RADIUS upstream to apply a profile to an ACL which the client is a member of... and the RADIUS server in my network is not inside pfSense - it's an independent element...

Wasn't planning on going down this path, as it is a rathole of complexity, when sometimes, it's a better solution to physically pull the device...

 

[System Error Message]

Best way to cut someone off internet is to use blackhole routing method for the host on the router. Perhaps use timer with it. Other solution is to just create a rule to drop forward to/from host (2 rules) with timer as well. Doing this allows for LAN access (incase you want to let the person watch movies from local media server, print, etc but with no internet).

If you use radius or hotspot you can use that to set time limts or schedule.

 

[sfx2000]

If this helps - RADIUS is stateless - not stateful - so any time a device asks, it's either yes/no, depending on policy for that particular device - and you can define that device many ways, but generally it's either an authenticated user account (most common) or a MAC address (which can be faked)...

Just asking myself at the moment - how the heck we got to this particular rat-hole... I don't think anyone is happy here...

(edit - fixed an autocorrect item that would be very confusing)

 

[garyd9]

Yes on IPv6. Not him specifically, but considering I harass my employer on an almost daily basis that they still haven't implemented IPv6, and that I have to "pipe it in" via a VPN to my home network, I couldn't live with myself if I disabled. it.

Does your AP support guest networks on timers? If so, put his device on it's own SSID that runs on a timer.

It could, but I can't assume a wireless connection. (I gave an example of the problem, not the full scope of it.)

Best way to cut someone off internet is to use blackhole routing method for the host on the router.

I tend to agree. How can I blackhole both IPv4 and IPv6 traffic on a router/firewall that doesn't support filters on MAC? I can't alter the route unless I know the source... and I can't know (or force addressing of) the source with IPv6.

 

[garyd9]

If you use radius or hotspot you can use that to set time limts or schedule.

If this helps - RADIUS is stateless - not stateful - so any time a device asks, it's either yes/no, depending on policy for that particular device - and you can define that device many ways, but generally it's either an authenticated user account (most common) or a MAC address (which can be faked)...

I actually have a full blown ADS, and one of my wifi SSID's validates EAP/PEAP using mschapv2. That IS an approach for wifi (as well as MAC filtering on a timer at the AP.) It doesn't help for wired (and I don't have RADIUS / 802.1x implemented on my wired network.)

@sfx2000, ratholes are fun. People don't come up with new solutions until they are faced with formally unsolvable problems. Either they leave them unsolved, or something new is found.

My stance is that the solution already exists in the form of L2 firewall rules. Of course, my un*x background is linux, and iptables has always support MAC rules. In fact, until I loaded up pfSense, I never realized any kind of firewall could exist without MAC-based rules support.

Others think otherwise. I'm willing to listen - if the same problems can be solved.

 

[sfx2000]

I actually have a full blown ADS, and one of my wifi SSID's validates EAP/PEAP using mschapv2. That IS an approach for wifi (as well as MAC filtering on a timer at the AP.) It doesn't help for wired (and I don't have RADIUS / 802.1x implemented on my wired network.)

@sfx2000, ratholes are fun. People don't come up with new solutions until they are faced with formally unsolvable problems. Either they leave them unsolved, or something new is found.

Hokay - better to be clear about what you have - sounds like you're playing things otherwise... hence the rathole...

 

[Nullity]

My stance is that the solution already exists in the form of L2 firewall rules. Of course, my un*x background is linux, and iptables has always support MAC rules. In fact, until I loaded up pfSense, I never realized any kind of firewall could exist without MAC-based rules support.

Others think otherwise. I'm willing to listen - if the same problems can be solved.

There's nothing wrong with forgetting pfSense and loading a Linux-based OS...

 

[garyd9]

Hokay - better to be clear about what you have - sounds like you're playing things otherwise... hence the rathole...

I thought I posted a link to a network diagram a day or 3 ago... it showed the ADS server, 2 NAS devices, network printers, an AP, my managed switch (L2 netgear GS724Tv4), etc. There's also a crapload of appliances (IoT, TiVo's, etc) and a "non-managed smart" switch. (16 port thing that supports vlans, static LAGs, but not much else.) I even have some normal computers, too... (heh.) Oh, and if it matters, my 2012 R2 ADS runs in a VM... which is hosted by 2012R2 ON the domain.

Did I ever mention that I like to tinker?

 

[garyd9]

There's nothing wrong with forgetting pfSense and loading a Linux-based OS...

I tinkered with ipfire (which would run perfectly on the same machine I assembled for pfsense), but it seems to have some issues. An initial install on a VM fails checking for updates... there are posts all over their forums about it.

Of course, I'm not limited to pre-built solutions.

However, now that I have pfSense running, I want to make it work, dammit. I can't be the only person in the world faced with this problem, and surely there must be a solution. I could probably "solve" it easily enough if I was willing to learn a little freeBSD, install "ipfw", read a man page, and just manually set things up. But, that's too easy. I'm trying to work in the framework of the product.

 

[sfx2000]

Did I ever mention that I like to tinker?

I'm not finding that link - been busy - care to repost maybe?

And like you - tinkering about in the shed can be productive..

 

[garyd9]

https://drive.google.com/open?id=1kVDYNT-89ClvtnZVR4yDIKA55a_TlPSJHiAtBGgpXf4

 

[garyd9]

Every concept has a smallest working component. For example, in the physical world, most consider a molecule to be the smallest working component (because individual atoms are usually unstable.)

In a "layer 3" router/firewall, what is the smallest working addressable component? I'm guessing it's an IP address? If so, is it an IPv4 address or an IPv6 address? Or something else? How does a L3 router/firewall represent a single interface?

Back before IPv6, you could say it represents a single interface with a single IPv4 address. That would work because an interface can only have a single IPv4 address. (Virtual interfaces might have different IPv4 addresses, but they are created in L2 and exposed to L3 independently of the base interface. (em0 vs vlan0, etc.))

Today, that can't be true, because a single interface on a single machine can still only have a single IPv4 address, but it can also have a virtually unlimited number of IPv6 addresses - each of which exists in layer 3.

So, taking into account IPv6, is there anything in layer3 that you can point at and say "THAT fully represents one interface on one machine"?

The reason for the random question is that I encountered an issue when viewing a report or graph in pfSense that should show traffic totals from different interfaces on the LAN... traffic from my machine was spread across 4 different entries (1 ipv4 address and 3 IPv6 addresses) (which all reference the same interface.) In my mind (which apparently works in layer 2), they are the same interface. They share the same MAC address, and when looking at a traffic report, total traffic/machine is much more important than knowing traffic per specific address. (Would you be amused if the electric company itemized your bill based on how much electricity came out of each specific electrical socket in your house?)

So, my first thought was "this report is less useful if it can't aggregate the numbers from the different IP addresses together to show the total traffic from the MAC address."

... which leads back to this thread. I want to block one interface on one machine. In my head, that's represented by a MAC address.

 

[sfx2000]

https://drive.google.com/open?id=1kVDYNT-89ClvtnZVR4yDIKA55a_TlPSJHiAtBGgpXf4

Thanks - if you don't mind - I'd like to post something here - or you can - seems like a good setup - the only thing I would do is flatten the lan a bit, and see about VLAN/ESSID matches - which is where I'm at - so I can match VLAN/ESSID's with the current AP's...

Rest looks good actually... goes back to what I suggested earlier - if you have a client that needs special treatment, so it there, rather than introduce additional complexity in the LAN..

 

[Nullity]

Every concept has a smallest working component. For example, in the physical world, most consider a molecule to be the smallest working component (because individual atoms are usually unstable.)

In a "layer 3" router/firewall, what is the smallest working addressable component? I'm guessing it's an IP address? If so, is it an IPv4 address or an IPv6 address? Or something else? How does a L3 router/firewall represent a single interface?

Back before IPv6, you could say it represents a single interface with a single IPv4 address. That would work because an interface can only have a single IPv4 address. (Virtual interfaces might have different IPv4 addresses, but they are created in L2 and exposed to L3 independently of the base interface. (em0 vs vlan0, etc.))

Today, that can't be true, because a single interface on a single machine can still only have a single IPv4 address, but it can also have a virtually unlimited number of IPv6 addresses - each of which exists in layer 3.

So, taking into account IPv6, is there anything in layer3 that you can point at and say "THAT fully represents one interface on one machine"?

The reason for the random question is that I encountered an issue when viewing a report or graph in pfSense that should show traffic totals from different interfaces on the LAN... traffic from my machine was spread across 4 different entries (1 ipv4 address and 3 IPv6 addresses) (which all reference the same interface.) In my mind (which apparently works in layer 2), they are the same interface. They share the same MAC address, and when looking at a traffic report, total traffic/machine is much more important than knowing traffic per specific address. (Would you be amused if the electric company itemized your bill based on how much electricity came out of each specific electrical socket in your house?)

So, my first thought was "this report is less useful if it can't aggregate the numbers from the different IP addresses together to show the total traffic from the MAC address."

... which leads back to this thread. I want to block one interface on one machine. In my head, that's represented by a MAC address.

Be more open to alternatives. (Do you honestly think you are the first person with this problem?)

The common definition of a firewall is a layer 3 device.


Unless you have a damn good reason, please refer to common knowledge. If you cannot find the answer, you are probably asking the wrong question... unless are you a PhD student who's breaking new ground.

 

[garyd9]

I would do is flatten the lan a bit, and see about VLAN/ESSID matches - which is where I'm at - so I can match VLAN/ESSID's with the current AP's...

I don't understand this statement/terminology.

There are actually 3 SSID's:

One is the normal EAP/PEAP based SSID that would associate with vlanNormal.

Then there's one that is PSK based and would associate with vlanGuest.

I also have a third SSID that's used by IoT devices that are wifi-only and only support PSK based auth methods. That one uses a hidden SSID, and only allows specific MAC addresses to connect. It will be on a vlan (that isn't shown in that diagram) that's completely isolated from the other vlans - only sharing the internet gateway.

Oh - there's only a single AP that will use tagged vlan's for the different SSID's. I have to use DDWRT or Tomato to get a consumer "wireless router" to do that... Eventually, I'll move up to a dedicated AP...

 

[garyd9]

Be more open to alternatives. (Do you honestly think you are the first person with this problem?)

Of course. If I wasn't open to alternatives, I'd have already reformatted the pfSense box and put something else on instead of engaging in this thread...

As for being the first person with the problem, I happen to know I'm not as I see many other people asking similar questions. The problem is that I can't find where any of those people are getting reasonable answers or solutions. I'm starting to wonder if some of them have just given up on pfSense and moved on to other software. (I don't know.)

Unless you have a damn good reason, please refer to common knowledge. If you cannot find the answer, you are probably asking the wrong question... unless are you a PhD student who's breaking new ground.

Your implying that I'm not using common knowledge. How is that so? It is common knowledge that ipv6 can (and will) assign multiple IP addresses to a single interface. It is common knowledge that ipv4 only assigns a single one. It's also somewhat common knowledge that modern OS's will generate their own IPv6 addresses (and frequently change them!) for internet access traffic.

The post you quoted was me trying to approach the problem from a different angle. The problem is that I keep coming back to the same question: How can I block an interface?

What about this isn't using common knowledge?

Oh, and quite often it's the complete novice who breaks new ground - not the PhD student or professor. The educated ones have been trained to think inside the box and are afraid to ask questions outside of it. The novice isn't aware that the box exists, so is able to see outside of it. To use an old fable: it's the young ignorant child who points out that the emperor is, infact, naked.

Finally, this whole mysterious "if you aren't finding your answer, you're asking the wrong question" thing is really getting annoying. Seriously, this isn't some metaphysical thing. Redefining a problem in order to find an easier answer is NOT solving the original problem. I realize and understand that there might not be a good solution - but I'm not one of those people who will ignore a problem just because I can't find an easy solution.

The networking stack supports what I'm trying to do in the form of MAC filtering. I realize that pfSense can't do MAC filtering, and I'm willing to learn of reasonable alternatives. No one seems to be able to offer any (reasonable) alternatives.

This reminds me of the Apple iphone... some people had a problem with the early generations because they couldn't get a list of previous notifications. Those users would point out that a "lesser" product, Android, could do this with their notification shade. Apple told those users that this wasn't a problem. They said that the iphone was a much more advanced product and those users were asking the wrong questions. Then, out of the blue, Apple "invented" a notification shade.

Being that everyone tells me that I'm "asking the wrong question", I won't use a question. I'll use a statement.

The problem, in it's most basic form, is that I need a mechanism to block an interface from the LAN to WAN gateway in non-permanent ways on a fully dual-stack network. A similar problem would be that I need a mechanism to block specific interfaces from other specific interfaces - and that doing so with vlans/subnets is unreasonable due to the volume and mix of interface combinations.

 

[mtganzer]

I feel your pain Gary. And I completely understand why you want to do it. The OpenWRT people figured out this problem and made it ridiculously easy:

https://bokunokeiken.wordpress.com/2015/06/27/how-to-block-device-on-openwrt-based-on-mac-address/

It doesn't have the bling that pfSense has, but there are OpenWRT builds for x86 architecture. Before I bought my Ubiquiti, I ran OpenWRT in a VM on my ESXi server. I never got the hang of managing it via the CLI, doing upgrades was cumbersome, and the GUI was not superclean. But probably had most solid IPv6 implementation of any of the tools at the time - DHCPv6-PD worked flawlessly, easy dual-stack filtering, etc. I tinkered with pfSense at the time as well, but could not get documentation on how to get the the LAN side of DHCPv6-PD (carving out /64's from the provided /56) to happen automatically. I ended up purchasing an EdgeRouter because I needed a separate router to keep the rest of the house running when I was doing work on the ESXi server.

A "firewall" is only a layer-3 device when that is all your tool can block, and BSD Packet Filters are layer-3 only. That doesn't mean there are not valid use cases for layer 2 filtering.

 

[sfx2000]

I don't understand this statement/terminology.

There are actually 3 SSID's:

One is the normal EAP/PEAP based SSID that would associate with vlanNormal.

Then there's one that is PSK based and would associate with vlanGuest.

There are AP's out there that can bind a VLAN to a specific SSID - so one can have two (or more) SSID's, each bound to a specific VLAN - and then you can apply routing choices (and policies even) on each one of the VLAN's

It's a very handy function to have - that way the untrusted IOT things might be on one SSID/VLAN and not interact at all with the other VLAN's on the local side of the router - same with the Android Tablet, where it can be put on another SSID, where that VLAN may have access time/quotas/etc as defined by policy, and then the primary SSID/VLAN for the trusted computers, etc...

It's pretty similar to what you would see in hotels and the like - where one SSID/VLAN is for the guests in their rooms/common areas, one for the environmental controls (which we see more and more) and one for employee access and business needs of the hotel.

This functionality is software based - QC-Atheros and Broadcom chipsets support this natively, but the functionality is usually not exposed to a large extent in most factory firmware - third party firmware might support it, you'd need to check there, but this is a common function in most business focused Wireless Access Points, so it's something to check into - with the scope and capability of the rest of your planned network, this is the last item that might be considered - and it would be a pretty flexible and capable network in any event.