Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ionutul on March 23, 2023, 05:58:19 PM

Title: Stopping users highjacking IPs
Post by: ionutul on March 23, 2023, 05:58:19 PM
Hello,

From a security point of view with OPNsense, what is the best way to stop users asigning themselves IPs in a /24 VLAN ?

I have a /24 local network that has a 1:1 NAT to a public /24 subnet. I'm planning to host a few vps on that network and each vps will be owned by a different client. I always thought that nothing can stop a client from assigning themselves as many local IPs as they wish. Having an ARP table and allowing only specific mac/ip pairs to have access to the network is one solution but I'm feeling that this might not be the best one.

What would you do in my case ? How can I properly do this IP management ?
Title: Re: Stopping users highjacking IPs
Post by: bartjsmit on March 24, 2023, 08:51:23 AM
Lock down their desktops with a central policy manager - i.e. GPO for Windows workstations and tie DHCP leases to their MAC address.

However, it sounds like some of your clients are in fact servers. In that case segregate those to a separate VLAN. That shifts the management to the network switch and restricts access (from local clients) to your servers.

The majority of security incidents originate from the inside.

Bart...
Title: Re: Stopping users highjacking IPs
Post by: ionutul on March 24, 2023, 07:02:00 PM
Thanks so much for the great info.

Indeed, every client will be a unique server. I already created a child VLAN to my LAN that separates them from my  machines, firewall included. The issue I'm facing is mostly about how can I better isolate the servers from each other, 10.20.30.5 to 10.20.30.6 for example.

Creating a unique VLAN for every single client sounds like an automation nightmare.
Title: Re: Stopping users highjacking IPs
Post by: bartjsmit on March 24, 2023, 09:40:17 PM
Quote from: ionutul on March 24, 2023, 07:02:00 PM
The issue I'm facing is mostly about how can I better isolate the servers from each other, 10.20.30.5 to 10.20.30.6 for example.

You can't do that on the firewall since none of the traffic will go through it. Hosts on the same subnet will always communicate directly through ARP. The only way you can force the traffic through the firewall is to have hosts on different subnets with the firewall as the common (default) gateway.

To avoid having a switch for each subnet, your best bet is to have a VLAN for each. They also can't share a /24 since they need separate subnets.

You may want to rethink your network architecture or abandon plans to control the traffic internally.

Sorry,

Bart...
Text only | Text with Images