Is there a way to lock IP, mac and identity together during a wifi session?
The user story I would like to avoid goes like this:
IoT device I connect up is given wifi credentials and connects up, I force it to have an IP address and build some firewall rules so it can only access the outside world.
It then reboots changes its MAC and makes up an IP address to land outside of the firewall rules.
I would like to be able to create firewall rules related to the authenticated device rather than just an IP address. I would be happy to have these generated at authentication so that the authentication request sets up the MAC in DHCP to provide the IP to the client and prevents the client from using any other IP then filters the new IP through to the firewall rules.
The stage after that would be to have a nice user interface for generating new authentication details for guests so that they can be added without heavy lifting, then popping an authenticated guest into the printers group would give them printing etc.
So my questions are how much of this is possible already, what do I use to achieve this and if not available where do I start looking to add function?
Before you suggest VLans, that is what I am using and the number of times I have to create a new VLAN for a special case has exceeded the number of SSIDs I would like to have. I am starting to feel that each device should have its own network. Which makes me think each network should be smarter.
Yes, I do use this, but that breaks simple things like letting a guest use a printer.
Some devices do need to talk to each other, Sonos and Amazon Echo devices need local comms so they can synchronize multi room music. But I would far rather the tow devices could not talk to each other on the local network. In my case the echo devices are on one VLAN and the sonos on another and my guests are on another. I have some guests that have such terrible personal IT hygiene skills that I would always want them to have no access to anything, not even my printer, where others I might want to give a bit more to.
The limits really do need to be device/user specific and not vlan specific to make things sane from an administrators point of view.
When a device changes it's MAC how do you propose to know it's the same device as before?
Basically I think you need to design your vlans for degree of access, and just have a few different degrees. For example my IP cameras can't route to the internet at all and can't even lookup dns.
Then my guest network can't route to my main LAN at all, can't talk to the router except DHCP, has access to the internet at limited bitrate. But anyone near my house can use it password free.
Then my main LAN requires enterprise security instead of pre shared keys, has full access, and only my family has accounts.
The authentication details used should be the thing that limits the IP and MAC. i.e. no matter what IP and MAC are used those are what gets linked to the firewall rule for the authenticated device/user.
You could see if WPA2-eap with a radius server would work for you. Make a vlan for all the things and then use the radius server results to change ipsets on the fly?
If your network is really polluted and some simple VLANs in combination with "client isolation" are not enough. Then it is time to buy another router(s)/switch(es) to solve the issue (route between them where necessary). Another option is that what @dlakelan wrote above. But this is not an easy to do job compared buying another router.
Realistically speaking with IPv6 this kind of thing is impossible though. Individual devices can easily have a million ip addresses each. In polls of my friends well over half of them have IPv6 and google traffic is approaching 50% IPv6 so it's worth it to think about solutions that work there
I followed the WPA2-eap suggestion and found this page: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x
Where it mentions " automatically assign users connecting to the SAME SSID to either the main “lan” network or a new “guest” network"
This is pretty much what I am after, though as usual with IT, it is far more complex than it should be to implement.
Routers should by default add devices as not trusted and only after being assigned to a group get access to that trusted set of resources.
In this day and age of so many things wanting in on my network I should not be limiting their access, I should be granting it to them.
@ dlakelan thank you for the direction, very much appreciated. @pwned Thank you for your input, though I think more equipment linked together is more complexity than I would like, not to mention cost. I am going to try the radius approach.
It would be nice for home routers to provide security at a level that my parents could handle for once rather than so much configuration it excludes them from safety.
The number of people who just add devices to their networks without knowing they are all able to access everything is frighting, when the technology to add devices as entrusted to start is so simple.
Agreed it sounds complex. For example how will your radius accounting system realize that the echo device should be on the same vlan as the sonos device, and what will it do when the echo device needs to talk to the SMB share but not the rest of the devices on the main lan. And then when someone adds a new feature to the echo it needs to talk to your cell phone...
Also you will find that all the discovery type features are broken by different subnetting. So your phone will never find the chromecast or the echo or the philips hue etc unless they're on the same subnet.
One thing you might try is to put an access point on the back side of a linux bridge and then do bridge filtering. Then things are on the same vlan and same subnet but access is limited by your rules
In my main LAN each desktop machine (linux) runs its own firewall. Only ssh is available for the most part, unless it's a file server
From what I can see in the document, you need to define in the radius account settings which vlan each client connects to. It does need dynamic vlan, which seems to have been added and removed and added again, so not sure if there are issues remaining
This is still vlan level security, but a lot closer to the device level I would likem, not to mention a lot of DHCP configurations.
