Can't completely isolate one laptop from the lan
-
I have an sg4680. I run my home lan on 10.0.0.1/24. Pfsense is on igb0 at 10.0.0.1. I have a WiFi router in accesspoint mode on opt1 at 10.0.0.2 for WiFi access from laptops and smartphones.
Now, I was given a company laptop that I want to use at home (WiFi only) but it should be completely unable to access any of my home lan stuff, computers or telephones.
I try to do this without buying a separate access point to run a separate subnet.
I gave it a static ip 10.0.0.111 and then created a rule that blocks access from that ip to LAN Subnets as well as to an alias that covers my computers and telephones, apart from This firewall (self).
It can access the outside Internet as it should, but it can also ping my machines in the lower 10.0.0.1/24 range such as smartphones and laptop connected to WiFi. I thought that would be impossible with the block rule (basically I thought both the block rules should block such traffic). Wired devices are blocked though. Can WiFi devices talk to each other without paying through the firewall?
-
@pastic devices on the same network have zero to do with pfsense.. Pfsense is the gateway to get off a network..
10.0.0.x/24 talking to 10.0.0.y/24 could care if pfsense is on or off.. It has nothing to do with devices on the same network talking to each other. You can create all the rules you want - pfsense is not in the picture.
Your AP should have an option to isolate devices on the wifi. Normally called AP isolation or client isolation.
Get yourself another AP that can do vlans, or maybe your current one can? And then you can put your work laptop on its own isolated network. Or maybe switch your using has option often called a private vlan, which can isolate devices on the same network?
Pfsense has nothing to do with it.
-
@pastic said in Can't completely isolate one laptop from the lan:
Can WiFi devices talk to each other without paying through the firewall?
Yes, an AP will normally forward cross-client traffic directly without it ever passing through your router.
Most WiFi gear will have a "client isolation" option that prevents that, but it's all-or-nothing and will slow cross-client traffic for all the rest of your gear too. What you really want is to put the company laptop on its own SSID with its own VLAN, and rely on the VLAN for isolation --- but you'll need an AP that knows about VLANs.
-
@pastic Some wireless APs have a guest mode that isolates the devices. eero can do that even if bridged for example.
-
Thanks to all three of you who chimed in!
My AP is an oldish Netgear router that can't do VLANs/isolation, but I found use for an Raspberry Pi 4 that I had lying around. I loaded OpenWrt onto it and have now a separate AP for the work computer. Maybe the next step is to get rid of the old Netgear and do two VLANs in OpenWrt. But that's a project for the next holidays.@johnpoz said in Can't completely isolate one laptop from the lan:
10.0.0.x/24 talking to 10.0.0.y/24 could care if pfsense is on or off.. It has nothing to do with devices on the same network talking to each other. You can create all the rules you want - pfsense is not in the picture.
I have a non-recommended? setup where pfsense actually is in the picture, but that's just because of me. I have bridged LAN (wired) and OPT1 (wireless) so clients on both interfaces belong to the 10.0.0.0/24 subnet. But I have not followed through and "assigned the bridge as LAN". I guess this is what made it possible for me to block wireless traffic from going to wired addresses. I think this is what is going on, but without your post I would not have thought twice and realised it.
-
@pastic said in Can't completely isolate one laptop from the lan:
I try to do this without buying a separate access point to run a separate subnet.
Does your AP support VLANs and multiple SSIDs? If so, you could create a connection just for that computer, just like my guest WiFi.
-
@johnpoz said in Can't completely isolate one laptop from the lan:
Your AP should have an option to isolate devices on the wifi. Normally called AP isolation or client isolation.
Wouldn't that isolate only wireless devices, leaving the rest of the network open?
-
@JKnott would depend on if he has any wired devices.. If his AP is plugged directly into pfsense then there would be no other "wired" devices.
But yeah the best solution would be vlan capable AP this allows you better control of what can talk to what, etc.
-
@JKnott said in Can't completely isolate one laptop from the lan:
Wouldn't that isolate only wireless devices, leaving the rest of the network open?
Yeah, client isolation is only one piece of a solution. (But it's a necessary piece if you don't want clients on the same SSID to be able to contact each other.) Once you get off the AP, you need VLANs or some other idea to block traffic to other devices.