Blocking RFC 1918 traffic not working
-
Hi to y'all
This is my first time I post something on forums, so bare with me.
I've been dealing with an issue kind of a headache for the last two days, I'm not able to block rfc 1918 on a specific subnet, just to let you know I have a pfsense 2.4.2-RELEASE-p1 version, and also have a four port nic card, one port for wan, one for lan (192.168.100.1/24), one for guest wifi clients (192.168.200.1/24) and the last port is not use at the moment, I've also installed squid proxy and squidguard to implement a transparent proxy on the wifi client interface to prevent clients reach porn sites and other stuff, and is working fine and also I've enabled dns resolver listening on all interface and last but not least, all clients on the wifi interface are going out through a vpn client, which is also working great.
So, what I'm trying to accomplish on the guest wifi interface (and I don't know right now if it even possible) is to have a internet only network, I don't want clients to see each other but the internet, right now I perfectly get the clients reach the internet through the vpn gateway and I've manage to block traffic from 192.168.200.x(wifi) to 192.168.100.x(lan). But I can't block clients to see each other on the wifi interface, for example I do not want them to see the wireless access point which have an IP address of 192.168.200.2, but they do! I have a camera connected to the same interface with IP 192.168.200.101 and also any client can see the camera; how can I prevent clients to see each other?
Thank you so much in advance, for taking the time to help me solve this, I really appreciate.
Ps: I attach some print screen for you to have a view of the rules I have on the interface.
-
You cannot use a layer 3 device (life pfSense) to isolate layer 2 clients from each other. That has to be done in your switching or wireless infrastructure.
Client-to-client traffic occurs on the same subnet. The firewall is not involved at all.
-
Thanks for your reply, I thought that wasn't possible on pfsense.
-
Thanks for your reply, I thought that wasn't possible on pfsense.
It's not possible on anything other than the switch/AP. You should never have two subnets in the same broadcast domain.
-
You should never have two subnets in the same broadcast domain.
Possible but not common on IPv4. Entirely normal and supported on IPv6.
-
None of which is relevant to OP's problem. The subnets are on separate NICs as they should be.
-
Thank y'all guys more than clear that it is not possible to do it, I'm still open if there's any idea on how to do it. Thanx.
-
Do it in your wireless and switching (Layer 2) infrastructure.
Google wireless client isolation and switch port isolation. Look at your AP docs. Open a ticket with them.
-
"Entirely normal and supported on IPv6."
No it is NOT…. You do not route traffic between a link local and or globals on the same L2...
What part of this do you not understand?? You do not put 2 different global ipv6 prefixes on the same L2 and route between them.
Having a link local and global address or even a ULA on the same L2 is not the same thing..
-
Hi Jon
You seem to be stuck on IPv4 to the point you don't know how things are on IPv6. One example was our recent discussion about IPv6 transit networks, where you didn't seem to know IPv6 routing is done over link local addresses, not global or even local (ULA) addresses. IPv6 was designed to allow things that were never considered or unlikely to be done on IPv4. For example, it is understood that multiple prefixes on an Interface are normal. They could be global or local They're allowed and pfSense happily provides them. It's also possible to have multiple default gateways on a network, with priority set according to what's supposed to be the primary vs fall back. You might also have multiple gateways that provide specific routes to some destinations. All this and more is part of IPv6. One example I've read about for having global and local addresses on an interface is so that IoT, on the local prefix could be used, while also having global addresses for the Internet. You might want to read a book, such as IPv6 Essentials, from O'Reilly to learn more. I've read that and other books on IPv6. I'm currently reading IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6, from Cisco. In those books you'll find these things and more were intended when IPv6 was designed. IPv6 is about much more than just a larger address space.
-
Thank y'all guys more than clear that it is not possible to do it, I'm still open if there's any idea on how to do it. Thanx.
Not possible via pfSense or any other firewall unless it somehow integrates into your switch/AP. There are APs or switches that can support some forms of client isolation within a broadcast domain. I've never used one, but I know they exist.
None of which is relevant to OP's problem. The subnets are on separate NICs as they should be.
I totally misread the second paragraph. I saw his current setup was seperate interfaces, but I thought they were trying to combine them.
Hi Jon
… IPv6 was designed to allow things that were never considered or unlikely to be done on IPv4. ...
Having multiple subnets in the same broadcast domain has nothing to do with IPv4 vs IPv6. IPv6 may make certain aspects of it better or take advantage of certain aspects, but many of the downsides are exactly the same due to fundamental issues that are orthogonal to the Layer 3 protocol.
