Help needed with network design (Client isolation on same subnet)

CharlesT

I hope this can be clarifying for others new to networking too.

I’ve been trying to isolate a single device from communicating with other devices on my network while still reaching the internet. While trying to do this I’ve realized I likely have been very mistaken about how my firewall works, I.e., that it won’t do anything to block traffic between clients on the same subnet.

My design had been to set my DHCP server to assign addresses between xx.xx.xx.100 to xx.xx.xx.200.
I then created an alias that contained all these addresses and called it “Unapproved_Clients”. And finally a firewall rule that blocked “Unapproved_Clients” from reaching anything. I then manually added a static mapping for each device I wanted to approve with an address bellow xx.xx.xx.100.

However, I realize now that these rules did nothing to prevent an unapproved client that somehow would have gotten access to my wifi from communicating with the other devices on the subnet. I had mistakenly assumed that the firewall rule allowed me to block access to the subnet itself, when in fact, it was only blocking access to the internet and the rest of my network. My firewall has no power to control what happens between devices on the same subnet since that traffic never hits the firewall in the first place. So that a potential intruder on my wifi network could gain access to the other devices on the same wifi. Have I got this right ?

For information, I have an access point with 4 SSIDs each on their own VLAN which are in turn set up as individual interfaces in pfSense, so each of these VLANs can have their own firewall rules. All but one of these 4 VLANS have internet traffic routed through a Mullvad tunnel.

I have the typical wifi VLANS:

• Trusted devices
• IOT devices
• Guest network
• No VPN internet access

I was hoping I would be able to granularly specify what clients can talk to what clients on the same subnet via the firewall. But basically this granularity is only possible once traffic reaches the firewall(Right?) I know I can do it for the whole subnet SSID via the access point, but there it’s a binary option (all or nothing).

I lingering question I had is why the ping is not sent to the firewall when two devices on the same subnet try to communicate but client isolation is turn on at the AP level ? Why not :

Device 1 -> AP -> Firewall -> AP -> device 2

And let the firewall dictate if they are allowed to talk to each other ?

johnpoz

@CharlesT you can filter who can talk to who across vlans on pfsense. But on the same network, if they are wireless you can do that via AP or Client isolation. This would be a feature of your AP.. But I do not recall seeing setting where you could say for example client A can talk to B, but not C when they are on the ssid/vlan.

Now if the clients were wired this could be done with what is called a private vlan... Then you can get very granular and say A can talk to B but not C, C can talk to D and E, etc..

keyser

@CharlesT As you have found out, The firewall never sees traffic between clients in the same VLAN. That’s because the firewall is only engaged when the traffic needs to be routed in/out of the IP subnet of that VLAN.

If you want to filter traffic between clients on the same VLAN you have 3 options:

1: Using a built-in software firewall on the client. However some clients and mostly all IOT devices does not have this.
2: Place a transparent L2 firewall device on the wire between each client and the switch. This is completely impossible in homesetups.
3: Purchace better/more costly switches and AP’s that support pr client/port ACL (Access Control Lists), and filter the traffic in your switch/AP.

keyser

@CharlesT So in essense:

You need to raise your budget and purchase much more capable hardware, or you need to segment your clients into more VLANs to be able to prevent unwanted crosstalk.

CharlesT

@keyser Thanks! I just found out that my AP allows a list of exceptions via MAC addresses once you enable client isolation, so this is good enough for the moment.

What I am more worried about now are some devices I have connected on my LAN network over ethernet, like a not too recent MacBook Pro for which apple has stopped releasing security updates and that I use as a media server. I guess I'll put it on the the IOT network instead since I'm not really sure how to create a one-way permission via the switch (so that other devices on the LAN network can talk to it but not the reverse). Not sure if this makes sense.

keyser

@CharlesT It does make sense, but the more capable switches and AP’s does not support statefull firewalling. They only support traffic ACLs on ports/clients.
The difference between the two is you cannot control direction - either you allow an IP:port to talk to an IP:port - both directions - or you don’t. There is a “sort of” direction control option with TCP traffic, but it’s not actually statefull.
But generally it gets the job done if you design you network and segmentation with care.

CharlesT

@keyser Thanks. One thing remains unclear to me: when creating the firewall rules for each interface, I remember being told I had to create a rule to sort of give the interface (in my case VLANs) access to itself. They all have a rule like :

Action: Pass
Protocol: Any
Family address: IPV4
Source: VLAN subnet
Destination : VLAN subnets

Is this necessary? And if so why? If the inner-subnet traffic never hits the firewall, why this pass rule ?

BTW, I have tried disabling it and weirdly enough, it seems to have no effect on my iPad which continues to connect to the internet just fine, while my iMac looses access to the internet. Both have joined the wifi for that VLAN, so I don't understand what is going on.

keyser

@CharlesT Hi Charles. Your assumption is correct - that rule is not needed, and should not be there. Since the traffic never passes the firewall, it does not need a rule to allow it.
But - the rule also does give the VLAN clients access any services running on the firewall’s VLAN IP interface, such as DNS and perhaps NTP.

Generally you might want to consider sorting your rules as follows:
1: Rules that allow access to the needed services running on the firewall itself (DNS, NTP, WebInterface)
2: Rules that allow access to anything running on other internal VLAN interfaces
3: Block rules that blocks all traffic to all internal networks if not open in step 2.
4: Block rules to block all unintended internet traffic (fx. PfBlocker lists of offenders, GEO blocking and so on)
5: Allow rules for Internet traffic.

Steps 3 and 5 can in be combined in one “NOT internal networks” rule if you want, but generally the transparancy and readability/logging features of splitting the rules as described is better.

JKnott

@CharlesT said in Help needed with network design (Client isolation on same subnet):

I’ve been trying to isolate a single device from communicating with other devices on my network while still reaching the internet.

Some switches can be configured to do what you want.