Pfsense - Network design with port security

bamus · March 26, 2020, 8:56pm

Hey all!

As this is my first post I’d like to thank Tom/Lawrence Tech for their awesome video’s on Youtube. It was my main motivator to start playing with Pfsense.

I wonder how possible the following scenario is. I’d like to implement some form of port security with Pfsense. I imagine I would need the following networks:

management LAN (untagged)
Trusted VLAN (10)
Voice VLAN (20)
Untrusted VLAN (30)

If I have a room where wired access is available and anyone can plug/unplug random devices I’d like them to end up on the correct VLAN. I imagine implementing 802.1x with Radius is a must, as well as LLDP, but will that work on the same switch port? Will it evaluate the connection like this:

LLDP -> IF phone = VLAN 20 -> IF not -> Radius -> IF auth=1 -> VLAN 10 -> IF auth=0 -> VLAN 30

Maybe I’m approaching this in the wrong manner, how would you handle port security in a place where anything can get plugged in?

Any advice appreciated!
Cheers!
B.

LTS_Tom · March 26, 2020, 10:37pm

All ports are either turned off or set to untrusted network unless needed. Turning the off is the best unless there is a reason to have them on.

FredFerrell · March 27, 2020, 1:49am

One scenario I would bring up is if someone were to switch out an existing device for another one. A quick capture in promiscuous mode and you’ll see the broadcast traffic needed to know what network is running on that port/VLAN. If DHCP is running, well you just have to plug in.

To protect your network from this, my recommendation would be to configure MAC address filtering for existing devices and require 802.1x authentication for VLAN10 and 20. If authentication fails, set the port to default to VLAN30. Also, I would put all your mgmt interfaces on a VLAN other than VLAN1.

bamus · March 27, 2020, 9:14am

Thanks for the input!

It’s mainly to protect against unplugging existing devices, like Fred mentioned. I’m setting this up in my lab for testing.

I have one client I recently took over that has a large machine shop where the machines are on their own VLAN and there are some VoIP deskphones in use that end up on the VoIP VLAN using LLDP. Random outside techs come in and need (wired) internet and would either plug into a free port (that really should be turned off) or just unplug a machine or a phone and end up on the VLAN for the machines. Now, most of those machines don’t support 802.1x, so I need to be able to get them on the Trusted network. The phones do support it, so that would be easy to configure. Radius with MAC address auth for the machines?

FredFerrell · March 27, 2020, 5:06pm

For the machines, just turn on mac address filtering on the port they plug into or in the Cisco world we call it sticky mac.

Tracer888 · March 27, 2020, 6:35pm

Any links to utilizing 802.1x or good howto’s? This would be another way to get the port level security that some folks need.

FredFerrell · March 27, 2020, 9:03pm

I would look at your switch vendors documentation and an easy RADIUS server to setup with it would on Windows server.

bamus · March 28, 2020, 10:12am

MAC address filtering wouldn’t assign a working but different vlan if something isn’t on the filtered list though, would it? Maybe I should look at something like https://packetfence.org/, I think that would allow very fine grained control.

FredFerrell · March 28, 2020, 4:25pm

MAC address filtering would be something to use on systems that don’t support 802.1x. For systems that do support 802.1x, I would require that authentication.