I am currently thinking about a new feature and want to know, if this is usefull for other users as well.
I have a LAN/WLAN network, protected by ipfire. I assign ips to my local devices using the dhcp server on my ipfire device. I configured all known devices to have a static IP by using dhcp reservations. So all new devices, that show up in my network are unknown devices.
I am also monitoring my local network with pi.alert, which runs within a docker container on another internal server. So I get informed automatically, whenever a new device joins lan or wifi.
I am thinking about blocking these devices automatically until they are assigned a dhcp reservation.
What is the easiest way for implementing this?
The issue is with devices, that maintain their ip address locally. So I can not forbid access to red in general.
I hope, I explained it clear enough.
Thanks in advance vor any help or hint!
I know what you are trying to do but i think there is no way to block communication on green since the clients are connected to a switch and the traffic won’t go through ipfire at all. Also it’s easy to locate “open” IP addresses for GREEN and BLUE.
I do the same as you do and put unknown clients to a subnet that is not allowed to communicate to the internet or any other network as long as the traffic goes through ipfire. But the problem of spoofing IPs still exists.
To solve that issue it’s required to do some kind of authenfification for example using voucher codes to grand access to the network but the feature for BLUE of ipfire does not support MAC binding so it’s not working.
If you only want devices with reserved IP’s to get an address then just make the dhcp dynamic range blank on green. Then any new machine with a new mac address will not be given an IP.
Someone could of course still spoof a mac address if they know the mac address of an allowed machine but if you have people on your network trying to do that then you have a different type of problem.
The spoofing problem shows up more or less clearly. Because ethernet traffic uses the MAC addresses as sender/receive id, there arise problems in communication. The protocol assumes a uniqueness of the MAC ( in theory for the internet as a whole ), communications between two devices are unreliable. IP packets to the doubled MACs are handled by two different devices. It depends on load in these devices who responds first.
No for zero trust it needs a propper and comfortable solution for validating authorized network members. This must not only be hardware related, because the same hardware may run different OS.
Also the personnel needs to authorize, just like it’s done with the Captive Portal.
This sounds like a good idea, but the issue is, that I have 3 different access point over the building. And these access points handle wifi but assign the ips using the dhcp server of my ipfire. Maybe I need to block the devices on the access points. But that is something completely different.
This is some sort micro segmentation. Yes, I would like to have that on my server, but I have to implement this on the server instead of the firewall. Otherwise all traffice has to be forced through my ipfire gateway. Which could only be implemented by segmenting the LAN. And this means bying new hardware, which is capable of vlans… Well at least not right now…
I think I will define the not served dhcp leases to be part of a certain firewall group and block communication to red for that group.
Not exactly what I wanted, but a working approach.
Thanks to all for the hints!!!
BR,
Sumpi