Firewall: Disable all with Exception list - Performance thoughts

Our Peplink Balance’s firewall is configured to allow all, but I am thinking of changing this policy to disallow all, enable only from “exception list”. In our network some 90 devices (pcs, laptops and tablets) exist, hence this change may require adding at least 50 exception rules (MAC address based) to allow traffic from allowed hosts.
I wonder if this change may have a big impact on performance…

Why? What are you looking to achieve or what issue are you looking to mitigate?

1 Like

Hi Martin, nice to hear from you!
This is the whole story: in our school we have 3 networks: main, staff & guests. While devices running in the main network (corporate LAN) are well-known, devices in the Staff & Guest network are unknown (teachers & students personal devices), although access is granted only through a WIFI password.
As personal devices often use cryptic names devices on the network it may be hard to guess the owner/user of a device, hence the idea to find an effective way to pair unknown devices to the respective owner.
Possible options:

  • block any devices except the whitelisted ones, forcing users to “declare” devices
  • Use a captive portal (not possible through the Balance One as AP are not Peplinks)

If any easier any practical idea is there I’d love to share

You can apply a captive portal to wired devices in a VLAN on the balance- so potentially even traffic via third party APs can routed through a CP for user auth (if the APs are in bridge rather than router mode).

Otherwise yes your idea is sound (if a little brutal and with a config overhead) to use firewall rules with MAC addressing as the identifier to block outbound traffic from unknown devices.

Personally I would look to achieve this with captive portals if I could as I’m a lazy admin…

1 Like

Yeah the option would be adding some 40/60 rules to the firewall (overhead?) or find another option to have a proper device inventory…

Hello @ReeXNeeX,
We agree with @MartinLangmaid approach to using VLANs & Captive Portals.
We have many client locations using the Balance One with another manufacture WAPs (not preferred though it is what it is), and we successfully tie an SSID to a VLAN in the Balance ONE so that the device has to go through the Captive Portal to get connectivity.

InControl2 is used as the management platform for our customers as it is able to allow the Captive Portal to be linked in to many more options and is a lot easier to setup, monitor and administer than doing on the router itself.

Can we recommend you have a look at this previous reply in another post, this will cover almost everything you need to get started.

Happy to Help,
Marcus :slight_smile: