Quarantine new devices

itpilot · April 4, 2022, 6:09am

guys please can you help the noob

i am new to OpenWRT

is there a way to by default, quarantine new devices when they connect to openwrt via dhcp?
so in otherwords any new device that connects to openwrt goes to a quarantine pool with no internet access

then after connecting i will give them access to the internet etc. by moving them out of the quarantine state

any help greatly appreciated

slh · April 4, 2022, 6:14am

You could set up IEEE802.1X, in combination with managed switches(-only), not trivial, but the enterprise solution to this question.

flygarn12 · April 4, 2022, 7:47am

The easiet would probably be to use static leases based on the device mac address and pre-define where it goes in the DHCP server.

Or have a closed/isolated VLAN/Fw zone/interface on one or more ports where you connect a device for inspection before moving it to a port where it will be used.
This works the same for WiFi SSID also.

Method of use is very much dependent on why you want to isolate the client?

itpilot · April 4, 2022, 8:35am

thank you very much for your support

flygarn12 - the main reason is that i have clients whom require WiFi access and they have customers that connect to their wifi system(s) and they want me to allow their clients / users to connect but not utilize the internet until they have been given authorization to have internet access.

maybe there is a better way to do this?

any help greatly appreciated

trendy · April 4, 2022, 8:38am

Maybe you could setup a captive portal and authenticate users with user/pass.

itpilot · April 4, 2022, 11:38am

thank you for your support, much appreciated

trendy - sometimes the client(s) have iot devices that they connect

flygarn12
The easiet would probably be to use static leases based on the device mac address and pre-define where it goes in the DHCP server. - the clients have different devices, iot, printers et al that connect at random if and when required.

Or have a closed/isolated VLAN/Fw zone/interface on one or more ports where you connect a device for inspection before moving it to a port where it will be used. - some sites have a single switch [ NOT MANAGED ] with a single Ubiquity AP. How would i do this?

This works the same for WiFi SSID also- i am using Ubiquiti AP Devices . How would i go about doing that?

thank you again

trendy · April 4, 2022, 2:43pm

To my understanding you have too high expectations and not adequate equipment, therefore you'll need to either lower your expectations or be more realistic in what you can do with what you have.
The best you can do given these limitations is

but pretty easy to bypass.

flygarn12 · April 4, 2022, 3:14pm

Yepp! But as you said, to quarantine something but only for a short while in a home network ain’t easy.

itpilot · April 5, 2022, 5:07am

just a question

would it not be possible to create rule to block all devices having access to the internet and lan by placing them in a group then i can move them to another groups(s) as needed?

flygarn12 · April 5, 2022, 5:48am

A network client is connected with wifi radio or hardwire RJ45 to a FW zone through a interface.

In OpenWRT the FW zone is the “group” you are talking about.

But the kind of group you are thinking about where the client are gathered in pools and you can move them from pool to pool has no logic support in OpenWRT.

You have no easy way to change a physical connection inside the OpenWRT logic.

Unless you change the ports VLAN or SSID interface connection so they get paired with another FW zone by another interface.