Tassimat
2021-09-28 20:21:58
- #1
Maybe a VPN solution is also possible if your devices that you want to connect to this port support it.
The secure, upscale network in the single-family house
- Erstellt am 2020-06-06 23:00:54
Tarnari
2021-09-28 20:38:49
- #2
You need something on which the Radius server is running. For me, for example, that is a pfSense. Then the authorized device must, of course, support 802.1x and know the Radius access data. These devices have somewhere in the menu an option where you can activate it and enter the access data.
Just plugging anything in doesn't work – or rather, what exactly is the practical goal? At some point, you have to make the authorized device known to the system, either via simple MAC filtering or via Radius access data. How are you coming to a TV now? I thought you want to secure external ports? One rarely connects a TV or PC to the RJ45 socket of the outdoor AP at the terrace overhang? In the house (and I assume you mean a private house), you normally don't have suspicious guests tampering with the LAN. "At-risk" ports in the guest room could then also be locked into their own VLAN, which is heavily restricted.
With Hikvision cameras, for example, it looks like this:
The practical goal is that the three ports (above the terrace and two in the garage) cannot be used by any unauthorized device, but the ports can still be used by any device I want. In the garage, the Gardena Gateway and an access point are connected, and above the terrace there is also an access point. I want to prevent someone from plugging in any device there and gaining access to my network, but I want to allow it for my devices (whatever they are).
Araknis
2021-09-28 20:43:37
- #3
I cannot imagine (without researching) that cheap Chinese devices can function like a Gardena Gateway Radius. If you really want to be able to connect every device, the only option is probably to use MAC filtering. However, this is not very secure, since the MAC can be easily read off the old device with reasonable effort and then spoofed at will. Something always suffers—usability, device selection, or security.
"Simply plug in" does not work with MAC filtering either; you always have to register the MAC address at the authorizing point first. For that, every device with a MAC address should be usable.
"Simply plug in" does not work with MAC filtering either; you always have to register the MAC address at the authorizing point first. For that, every device with a MAC address should be usable.
Tarnari
2021-09-28 20:52:13
- #4
That was exactly my question.
MAC filtering brings absolutely nothing.
If the answer to my question is "doesn't work," then I would already be further.
Specifically, I wanted to know if I can control which device gets an address via DHCP and which does not. If that doesn't work, okay. Then I know that my pipe wasn't one and that I'm not into that.
MAC filtering brings absolutely nothing.
If the answer to my question is "doesn't work," then I would already be further.
Specifically, I wanted to know if I can control which device gets an address via DHCP and which does not. If that doesn't work, okay. Then I know that my pipe wasn't one and that I'm not into that.
Araknis
2021-09-28 20:55:53
- #5
Okay, then briefly:
Yes, you can.
It basically always works. It "works well" if your device supports 802.1x. It "works less well" if it only has a MAC address.
In general, I would realistically think about such attack scenarios. With VLANs, you block the outdoor ports from the rest of the network. Then there are still certain routes, e.g., to the Internet. And then? Your visitor can surf. But go to such lengths when every second WLAN in the neighborhood is poorly secured? I would rather be bothered that someone takes the opportunity to steal the access point or the Gardena gateway from me.
Specifically, I wanted to know if I can control which device gets an address via DHCP and which does not.
Yes, you can.
If that’s not possible, okay. Then I know my approach was not good and I’m not into that.
It basically always works. It "works well" if your device supports 802.1x. It "works less well" if it only has a MAC address.
In general, I would realistically think about such attack scenarios. With VLANs, you block the outdoor ports from the rest of the network. Then there are still certain routes, e.g., to the Internet. And then? Your visitor can surf. But go to such lengths when every second WLAN in the neighborhood is poorly secured? I would rather be bothered that someone takes the opportunity to steal the access point or the Gardena gateway from me.
Tassimat
2021-09-28 21:14:40
- #6
Generally, I would realistically consider such attack scenarios. With VLANs, you already isolate the outdoor ports from the rest of the network. Then there are still certain routes, e.g. to the Internet.
I agree. VLANs are made for that. If you then restrict the traffic via firewall to the addresses Gardena etc. need, no one can cause trouble.
(Or throttle the data rate to modem speed :D)