how to block unknown IPs on LAN?

[gnomegemini]

Hey there,

I just want to block any client, now known to the DHCPv4 service. So I add a machine to DHCPv4 with it's MAC and this is OK. But I want block all other machines not listed in DHCPv4 services.

Do I really need to add a "block all but a,b,c,d not" rule and add another IP everytime or is there any way to "combine" it like "block all except the ones with DHCPv4 lease"?

Any help is very much appreciated.

Kind regards
Stefan

[fabian]

Static ARP option is likely the best to go.

[EdwinKM]

not tested. But this is not intended as security. If a person set a static IP (in the range) it will probably just work.

[zerwes]

In fact this is rather a LAN security option (dot1x) and not the job of the firewall, as it would be the best to block access to the LAN for unknown clients first, stopping them on the firewall level is in fact to late and IMHO not really doable ... you can try to read the lease file into a alias ant then just allow traffic from this alias but this assumes that all clients release their lease and you have a short lease time ... I would not go for this.
If your switche(s) are dot1x capable, opnsense has a freeradius plugin (I never used it, I prefer to have such services outside of the firewall)
If you implement dot1x I would not just go by a MAC filter, as MACs can easily be changed, you should go at least for eap tls ... but that is beyond the scope of this.