How do I block wireless communication between all clients on a specific VLAN ?
-
Hi,
I have a VLAN to which I want to connect multiple wireless devices and block communication between them so that they can't see each other but I can't figure out how to accomplish this even after doing research on Google which provided multiple conflicting sources and results. To give you an example of this, this is exactly like AP isolation option you see on many consumer based routers.
I already have Access Point with VLANs setup on it and just need to configure the said VLAN to the above mentioned behavior.
Any idea how I can do this ?
Thanks
-
@4RR3N The router can't do this, the packets don't go through the router. You can prevent that VLAN from connecting to other VLANs or interfaces by firewall rules.
-
@SteveITS So, I presume this would need to be configured on the Access Point itself ? I know about the VLANs and how they work but was just looking if I could implement AP isolation on the same VLAN and if it was possible at all.
I have multiple wireless devices that I only want to give access to the internet but prevent from talking to each other on the local network. Is there anything like this I could setup ?
-
@4RR3N Correct. See if the AP has a guest or isolation mode.
It's the same question as a wired network. 10.0.0.3 talking to 10.0.0.4 doesn't go through the router so the switch (via VLAN?) or a firewall on each device has to control access.
-
@SteveITS So what you are basically saying is that because the communication happens locally, it needs to be handled either by Access Point or software firewall themselves, let's say on the laptop ?
This is a bit puzzling because IP is given by PFSense and when you let's say try to talk from 10.0.0.3 to 10.0.0.4 or initiate a connection like RDP etc, it initiates a connection to find the device using the above details given by PFSense so technically it should go through the router\PFSense itself.
-
@4RR3N said in How do I block wireless communication between all clients on a specific VLAN ?:
when you let's say try to talk from 10.0.0.3 to 10.0.0.4 or initiate a connection like RDP etc, it initiates a connection to find the device
yes
@4RR3N said in How do I block wireless communication between all clients on a specific VLAN ?:
so technically it should go through the router\PFSense itself
Only if the subnet mask is such they are in different subnets, and in that case 10.0.0.3 would send the packet via its routing table, typically to its default gateway.
So 10.0.0.3/30 could use 10.0.0.1 as its gateway, and 10.0.0.5/30 could use 10.0.0.6 as its gateway. (a /30 has 2 usable IPs per subnet)
-
@4RR3N said in How do I block wireless communication between all clients on a specific VLAN ?:
so technically it should go through the router\PFSense itself.
No not the way it works..
The router/gateway to get off a network has zero to do with devices on the same network..
Here copied from a post I did a few days ago related to someone else thinking pfsense had something to do with devices on the same network talking to each other
You have a device 192.168.1.x on a /24 which means anything 192.168.1.1 to 254 is on its network, with the .255 being the broadcast for that network, and the .0 being the network or wire..
So a device says hey I want to talk to 8.8.8.8, well that is not on my network.. Need to send that to my gateway (pfsense) so it arps for the mac of its gateway 192.168.1.1 - and sends the traffic to that mac address with a destination of 8.8.8.8... Pfsense being the router says oh, that is my mac address let me look at the traffic - oh that wants to go to 8.8.8.8 let me route it.
Now when said device says hey want to talk to 192.168.1.Y - it says oh that is on my network, let me arp for it, oh here is its mac.. And send the traffic to 192.168.1.Y via that mac address. Pfsense is not involved..
If you want to isolate devices on the same network, with wire your switch might support what is normally called a private vlan.. With wifi this would be done on the AP, commonly called either AP isolation or Client isolation - this prevents devices on the same network from talking to each other.
But pfsense being the router/gateway to get off a specific network has nothing to do with that sort of communication - it can allow or block you from talking to another network be it another local one attached to pfsense via another physical interface or a vlan - since this is routed through pfsense. But device A talking to B on the same network has no need for the "router" nor could pfsense even prevent this communication if it wanted too.. It is not involved in anyway.. Be it handed the IPs to each device via dhcp has nothing to do with it once the device gets the IP. Now if your trying to resolve a name to get to, and if pfsense is handling your dns you could stop say client A from resolving the IP from a fqdn via dns on pfsense.. But IP A talking to IP B on the same network pfsense is not involved.
-
Wireless client isolation is a layer 2 function on the access point itself.
