Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't completely isolate one laptop from the lan

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    9 Posts 5 Posters 809 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pastic
      last edited by

      I have an sg4680. I run my home lan on 10.0.0.1/24. Pfsense is on igb0 at 10.0.0.1. I have a WiFi router in accesspoint mode on opt1 at 10.0.0.2 for WiFi access from laptops and smartphones.

      Now, I was given a company laptop that I want to use at home (WiFi only) but it should be completely unable to access any of my home lan stuff, computers or telephones.

      I try to do this without buying a separate access point to run a separate subnet.

      I gave it a static ip 10.0.0.111 and then created a rule that blocks access from that ip to LAN Subnets as well as to an alias that covers my computers and telephones, apart from This firewall (self).

      It can access the outside Internet as it should, but it can also ping my machines in the lower 10.0.0.1/24 range such as smartphones and laptop connected to WiFi. I thought that would be impossible with the block rule (basically I thought both the block rules should block such traffic). Wired devices are blocked though. Can WiFi devices talk to each other without paying through the firewall?

      johnpozJ T S JKnottJ 4 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @pastic
        last edited by

        @pastic devices on the same network have zero to do with pfsense.. Pfsense is the gateway to get off a network..

        10.0.0.x/24 talking to 10.0.0.y/24 could care if pfsense is on or off.. It has nothing to do with devices on the same network talking to each other. You can create all the rules you want - pfsense is not in the picture.

        Your AP should have an option to isolate devices on the wifi. Normally called AP isolation or client isolation.

        Get yourself another AP that can do vlans, or maybe your current one can? And then you can put your work laptop on its own isolated network. Or maybe switch your using has option often called a private vlan, which can isolate devices on the same network?

        Pfsense has nothing to do with it.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        JKnottJ 1 Reply Last reply Reply Quote 0
        • T
          tgl @pastic
          last edited by

          @pastic said in Can't completely isolate one laptop from the lan:

          Can WiFi devices talk to each other without paying through the firewall?

          Yes, an AP will normally forward cross-client traffic directly without it ever passing through your router.

          Most WiFi gear will have a "client isolation" option that prevents that, but it's all-or-nothing and will slow cross-client traffic for all the rest of your gear too. What you really want is to put the company laptop on its own SSID with its own VLAN, and rely on the VLAN for isolation --- but you'll need an AP that knows about VLANs.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @pastic
            last edited by

            @pastic Some wireless APs have a guest mode that isolates the devices. eero can do that even if bridged for example.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • P
              pastic
              last edited by

              Thanks to all three of you who chimed in!
              My AP is an oldish Netgear router that can't do VLANs/isolation, but I found use for an Raspberry Pi 4 that I had lying around. I loaded OpenWrt onto it and have now a separate AP for the work computer. Maybe the next step is to get rid of the old Netgear and do two VLANs in OpenWrt. But that's a project for the next holidays.

              @johnpoz said in Can't completely isolate one laptop from the lan:

              10.0.0.x/24 talking to 10.0.0.y/24 could care if pfsense is on or off.. It has nothing to do with devices on the same network talking to each other. You can create all the rules you want - pfsense is not in the picture.

              I have a non-recommended? setup where pfsense actually is in the picture, but that's just because of me. I have bridged LAN (wired) and OPT1 (wireless) so clients on both interfaces belong to the 10.0.0.0/24 subnet. But I have not followed through and "assigned the bridge as LAN". I guess this is what made it possible for me to block wireless traffic from going to wired addresses. I think this is what is going on, but without your post I would not have thought twice and realised it.

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @pastic
                last edited by

                @pastic said in Can't completely isolate one laptop from the lan:

                I try to do this without buying a separate access point to run a separate subnet.

                Does your AP support VLANs and multiple SSIDs? If so, you could create a connection just for that computer, just like my guest WiFi.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @johnpoz
                  last edited by

                  @johnpoz said in Can't completely isolate one laptop from the lan:

                  Your AP should have an option to isolate devices on the wifi. Normally called AP isolation or client isolation.

                  Wouldn't that isolate only wireless devices, leaving the rest of the network open?

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  johnpozJ T 2 Replies Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @JKnott
                    last edited by

                    @JKnott would depend on if he has any wired devices.. If his AP is plugged directly into pfsense then there would be no other "wired" devices.

                    But yeah the best solution would be vlan capable AP this allows you better control of what can talk to what, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • T
                      tgl @JKnott
                      last edited by

                      @JKnott said in Can't completely isolate one laptop from the lan:

                      Wouldn't that isolate only wireless devices, leaving the rest of the network open?

                      Yeah, client isolation is only one piece of a solution. (But it's a necessary piece if you don't want clients on the same SSID to be able to contact each other.) Once you get off the AP, you need VLANs or some other idea to block traffic to other devices.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.