How to block devices from LAN access?

Skiny

Hopefully someone can help me...

I would like to know how to block certain devices on my network from either LAN or WAN access (depending upon the device).

I was testing this with my phone, which I have assigned a static IP address and tried to block it from having WAN and LAN access. However, whilst blocking Internet access works, blocking LAN access fails.

My Pfsense router connects to a switch, which has a variety of hardwired devices connected to it, one of which is an old Asus router in Access Point mode. Via that Access Point, my phone connects.

First I created an alias for my phone and then set a LAN firewall rule to block that device.
All protocols selected.
I set the 'Source' to the alias and the "Destination" to any (also tried selecting 'LAN net').

Plenty of time has been given to allow settings to take effect, both phone and router have been restarted - no effect.

Can anyone see anything I'm doing wrong?

Bob.Dig

@skiny Sure, you can not block on the same LAN.

Skiny

So it has to be done via a VLAN?

johnpoz

@skiny said in How to block devices from LAN access?:

So it has to be done via a VLAN?

Yes if the traffic between devices would be routed over pfsense, then you could block it. Devices on the same network do not talk to pfsense to talk to each other. When a device wants to talk to another device and the IP is on the same network as device A, it just arps for the mac and then sends the traffic to the mac address. So pfsense is not involved in that conversation. Traffic only gets sent to the gateway (pfsense) when the destination IP is not on the same network.. The device then arps for the mac of the IP of the gateway, and send the traffic to (pfsense).

So be that a vlan, or some other native network - the traffic would need to be routed via pfsense for pfsense to block it.

For devices on the same network, you could look to see if your switch supports what is commonly called a private vlan, this allows the switch to prevent access between devices on the same network. In the wifi world this is either called AP or Client isolation.

SteveITS

@skiny Some wireless access points have a guest SSID that isolates the guest devices. I have eero which does this even though the APs are on LAN and eero is in bridge mode. Other APs may be able to do this if they are also the router, you'd have to check the capability of yours. Of course that only works for wireless devices using the guest SSID.

Dobby_

Could a LDAP server and/or Radius server help here out?

johnpoz

@dobby_ said in How to block devices from LAN access?:

Radius server help here out?

If you were doing something with NAC maybe, and place them in a private vlan once they auth to the network.. Would still be outside the scope of pfsense, unless you were running the radius server on pfsense. Your switches would still need to support the ability to limit the devices.

Skiny

@johnpoz said in How to block devices from LAN access?:

@skiny said in How to block devices from LAN access?:

So it has to be done via a VLAN?

Yes if the traffic between devices would be routed over pfsense, then you could block it. Devices on the same network do not talk to pfsense to talk to each other. When a device wants to talk to another device and the IP is on the same network as device A, it just arps for the mac and then sends the traffic to the mac address. So pfsense is not involved in that conversation. Traffic only gets sent to the gateway (pfsense) when the destination IP is not on the same network.. The device then arps for the mac of the IP of the gateway, and send the traffic to (pfsense).

So be that a vlan, or some other native network - the traffic would need to be routed via pfsense for pfsense to block it.

For devices on the same network, you could look to see if your switch supports what is commonly called a private vlan, this allows the switch to prevent access between devices on the same network. In the wifi world this is either called AP or Client isolation.

That makes perfect sense and I have no idea why I didn't consider it at the time

Thanks for the helpful explanation and to everyone else for their replies too!

johnpoz

@skiny said in How to block devices from LAN access?:

why I didn't consider it at the time

Don't feel bad - this same question comes up all the time.. Why is lan to lan rules not working ;)

The only way pfsense can filter traffic between devices on the same network - is if you bridge, then pfsense could filter traffic between devices that are on different sides of the bridge..

But bridges should be the last possible choice almost always.. But if you were bridging with pfsense, then it would be possible to filter traffic between devices that were on side A of the bridge to side B of the bridge. But if devices were on the same side then no pfsense again would never see the traffic.

The take away here is if you have devices that you want to filter from talking to other devices - put them on different networks, that get routed over pfsense. Then it is childs play to filter who can talk to who in the different networks.