Is there a way to emulate a "quarantine zone"?

[dark_croquetta]

I am a recent adopter of OPNsense, so I apologize if this has been discussed already under a different name, and/or if it would be considered outside the scope of OPNsense.

I would like to have a "quarantine zone" where new devices would first fall into a VLAN that has no internet access, then can be assigned a different VLAN which would give them tailored access. My motivation is dealing with client devices that randomize MAC addresses while releasing/renewing IPs. I want different types of clients to have different firewall rules applied to them. With the ability to spoof MAC addresses, it seems like relying on subnet rules makes more sense.

My OPNsense router has a Unifi switch connected to it, which in turn has an Omada AP connected to that. I understand that such a solution probably requires support across the hardware stack, but I am still a bit lost at where to start. Does anyone have any pointers about implementing such a solution?

[meyergru]

What you are looking for is outside the scope of OpnSense, because it has to happen on the network access layer. The only thing OpnSense can provide is the VLANs themselves and a FreeRADIUS inventory for your devices.

The standard is IEEE 802.1x, but you need to have a switch or AP that conforms to it. Also, you need either certificates on all of your clients in order to be able to identify them or you rely on their MACs to sort them into different VLANs. As you already know, MACs can be spoofed.

[Monviech (Cedrik)]

A way on layer 3 to attach some sort of identity to a device is using the Captive Portal, but every client needs their own unique voucher. The portal can then track clients via IP address and its all firewall rule based. But it will never be VLAN based.

[Seimus]

Well something like this can be done with ZenArmor.

It has a functionality where by default you block access for all new/Untrusted devices. And only after you tag them as trusted they have access to Internet. But ZA may be not the right choice for you.

I agree here that the way how it should be done is over access layer using 802.1x.

Regards,
S.

[Patrick M. Hausen]

The standard is IEEE 802.1x, but you need to have a switch or AP that conforms to it.

There is a little less complex but Cisco proprietary protocol named VQP (VLAN Query Protocol) by which switches ask a VMPS (VLAN Membership Policy Server) for VLAN assignment based on MAC address. Of course a default VLAN can be defined with e.g. guest access policy.

VMPS can be FreeRADIUS, OpenVMPS or similar. Needs Cisco brand switches, though, and do check the feature set before buying.

[nero355]

My motivation is dealing with client devices that randomize MAC addresses while releasing/renewing IPs.

I hate that crap too! :(

My OPNsense router has a Unifi switch connected to it, which in turn has an Omada AP connected to that.

Check your UniFi Controller for something similar to this :

There is a little less complex but Cisco proprietary protocol named VQP (VLAN Query Protocol) by which switches ask a VMPS (VLAN Membership Policy Server) for VLAN assignment based on MAC address. Of course a default VLAN can be defined with e.g. guest access policy.

VMPS can be FreeRADIUS, OpenVMPS or similar. Needs Cisco brand switches, though, and do check the feature set before buying.

They have introduced something like that (If I understood it correctly at the time... Wasn't really interesting because I knew I would leave their ecosystem at some point either partially or completely...) in either 2024 or 2025 and it looked more like the stuff real Controllers do like the ones from CISCO/HPE/RUKUS and other similar brands.

[meyergru]

Unifi officially supports 802.1x in some switches, however, beware of this (still unfixed) bug, which effectively makes it unusable on some of the newer Unifi switches (it seems to be a chipset bug that lies somewhat outside their control):

https://forum.opnsense.org/index.php?topic=45429.0