• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LAN Firewall rules

Scheduled Pinned Locked Moved Firewalling
6 Posts 3 Posters 4.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    AudiAddict
    last edited by Aug 21, 2008, 8:18 AM

    I've been trying to set rules for the LAN, ea block remote desktop to certain machines in the network in the same LAN subnet.

    But none of the rules work, even block everything to that internal IP fails.

    This is probably due to the fact that the LAN interface on the pfsense is connected to a random switch port and the rest of the 20 clients are connected to the same switch.

    Connections between LAN ip's are obviously not going past the pfsense, it just goes from one switch port to the other.

    So this would be a physical problem with the switch setup. How would I get control over the lan itself? Would I need a layer 3 switch to do this?

    1 Reply Last reply Reply Quote 0
    • P
      Perry
      last edited by Aug 21, 2008, 8:26 AM

      I think the easy way would be to use the local firewall.

      /Perry
      doc.pfsense.org

      1 Reply Last reply Reply Quote 0
      • A
        AudiAddict
        last edited by Aug 21, 2008, 8:38 AM

        Local firewall? What do you mean? On the machines itself? Or an additional firewall ?

        1 Reply Last reply Reply Quote 0
        • P
          Perry
          last edited by Aug 21, 2008, 8:58 AM

          yes. On XP's local firewall you can specify by IP

          /Perry
          doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          • A
            AudiAddict
            last edited by Aug 21, 2008, 11:09 AM

            Sure, that would work, but I would prefer blocking connections to a complete subnet range in the lan for example.

            I guess this would only be possible with a pfsense in between somewhere..

            1 Reply Last reply Reply Quote 0
            • T
              tlum
              last edited by Sep 28, 2008, 4:15 PM

              You can't centrally firewall machines within the same subnet! Interfaces within the same subnet communicate directly with each other. They only send traffic to the gateway when the destination address can't be routed directly to one of their local subnets. You would first need to logically isolate those machines so they cannot route to each other. Then, you would need to do central routing (and firewalling) for them.

              A hack, and it is a real dirty hack, would be to define every machine as its own subnet on the same physical segment and then define one interface on pfSense for each of the machines on the segment, then set up your rules. This is a really bad idea. It will probably break more than it fixes since the machines can't broadcast to each other any more and pfSense has to route every single packet. And even if you did that, since you'd be on the same physical segment, any user could get around it by just defining an IP in the segment they wanted to talk to.

              The short answer it it can't be done.

              -Ted-

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received