Static lease bypass on OPNsense

Started by narsaw, March 24, 2025, 01:59:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 24, 2025, 01:59:22 AM
I have a PC that I assigned a Static lease via it's mac address. This works great, PC is allocated the correct IP address (192.168.66.150) based on my settings.
However, I just found out that anyone that has access to this Windows 11 PC can assigned the PC a different static IP address (say 192.168.66.200) and bypass whatever firewall rules I have in place based on the IP I assigned via the static lease.

Is there a way to tell OPNsense that a MAC address can only be assigned the static lease ip address and ignore any other address request?
March 24, 2025, 08:03:15 AM #1
If you don't trust a computer (or its operator) then you need to put it in a separate VLAN. That means that its access is configured on the switch and the firewall no matter what happens on the machine.
March 24, 2025, 08:20:26 AM #2
Only administrators or members of the "Network Configuration Operators group" can change the network settings in Windows. Do not give users elevated rights either as second precaution to separate VLAN.
Hardware:
DEC740
March 24, 2025, 09:07:14 AM #3
Quote from: narsaw on March 24, 2025, 01:59:22 AMIs there a way to tell OPNsense that a MAC address can only be assigned the static lease ip address and ignore any other address request?
What the others said is: no you can't do that.

The static mapping makes sure the DHCP server assigns a specific IP to a client/MAC address.

But the client can give itself any IP address it wants, if the user got enough rights to do so. Further a user with enough rights can also spoof the MAC address and with that the DHCP server assigns it another IP address.
Deciso DEC740
March 24, 2025, 12:02:14 PM #4
A determined attacker can overcome OS and configuration changes, or simply plug the network cable into another device to thwart restrictions based on IP address.

https://en.wikipedia.org/wiki/Evil_maid_attack (apologies for the implied sexism)
March 24, 2025, 12:16:23 PM #5
There are some layer 2 switches with layer 3 filtering. But as others already wrote: devices of different trust belong in different zones (VLANs or equivalent). One should never rely on IP address based filtering for local systems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2025, 03:16:13 PM #6
Neither should you trust MAC-based filtering, because that could be changed as well with full access to the machine.

I even saw a guy circumvent 802.1x by dumping the content of the disk and using it as a VM.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 24, 2025, 09:07:24 PM #7
Because the machine with that disk had access to another Wi-Fi network?

Wired VLANs are not going to be much of a hurdle if the malicious user has physical access to less restricted access ports.
Only disclosing the password of a VLAN confined Wi-Fi SSID might have better chances of success.
March 24, 2025, 10:59:05 PM #8
The machine is on a separate VLAN the determined attacker is smart 12 year old. Currently he does have admin privileges on the PC, mostly for convince for me (having to constantly enter admin password for installs, etc)

It seems the choices are 1) Remove admin privileges from the PC, 2) Think of other ways to block internet that does not rely on MAC->IP->Rules, as Mac based filtering cannot be trusted as my post indicates.

Anyone overcome this issue, particularly when dealing with kids access?
March 24, 2025, 11:05:42 PM #9
If it's a separate VLAN just create your rules with source "any" for that VLAN. That's exactly the point of all the arguing back and forth.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions