Hi all:
We use Pfsense for dhcp. We’d like to block computers registered in dhcp from reaching the pfsense webconfigurator. We’d also like a rule to block the same dhcp registered computers from talking to another resource on this port 9443.
Can you help with a pfsense rule template?
If I interpret your question correctly, what you want is to allow access to the web configurator from all hosts in a specific network except for ones who got addresses assigned by DHCP. This can be done by creating an allow rule, inverting the source and setting the IP range of the DHCP pool as the source. This will only work directly if your DHCP pool range is expressible as a CIDR range, which might not be the case. For example, if your DHCP range is set from 192.168.1.100 to 192.168.1.254, there is no CIDR notation that captures exactly this range. As a workaround (other than setting your DHCP range to something that is expressible in CIDR notation), you can create an alias of type “hosts” and add a single entry like “192.168.1.100-192.168.1.254”. pfsense will expand this notation to the matching individual entries. You can then use the alias as the inverted source for the allow rule.
I will suggest, however, that you rethink your requirements. While what you asked for can be done as explained above, it does in my opinion not provide much security on its own. Unless your switches / APs implement additional security measures like DHCP snooping and IP source guard, a rogue client can simply circumvent DHCP altogether and use a static IP outside the DHCP pool.
If it’s feasible, from my point of view it is preferrable to create an entirely different network for management devices and allow access to the web configurator only from that network.
Thank you @paolo. We plan to move devices these to another network. Thanks again for your suggestion. May have follow-up questions.