i have setup my network using pfsense, having 8 subnets, each one having their own DHCP server range. i have enabled STATIC ARP on the server and static MAC entries, so that no un-known machine can access the network at all.
the problem is that, is there any way to detect and block those IP addresses, which users set statically? because of which their is IP conflict and authenticated users face dis-connectivity issues??
I do not want anyone to use Static IP address on the whole network.
any way to find and block that system, which is using static IP address?
Best Answer
Not with just pfSense, no. Protection like this is usually done in a switch, with port security options like DHCP Snooping, and fancier stuff like 802.1x.
With static IPs set on all the devices you do want on the network, you can come close to preventing other static IPs by disabling address learning (ARP) on all clients and the pfSense box, but that would be a very non-standard configuration, and you'd need static arp entries defined everywhere so they can talk.
A better option would be to run arpwatch on the pfSense machine; it will send email alerts when a new IP/MAC is seen on the network, or an IP changes its associated MAC. It won't prevent problems, but it lets you know there's an issue and gives you the info to track down the source.