Blocking RFC 1918 traffic not working
-
You cannot use a layer 3 device (life pfSense) to isolate layer 2 clients from each other. That has to be done in your switching or wireless infrastructure.
Client-to-client traffic occurs on the same subnet. The firewall is not involved at all.
-
Thanks for your reply, I thought that wasn't possible on pfsense.
-
Thanks for your reply, I thought that wasn't possible on pfsense.
It's not possible on anything other than the switch/AP. You should never have two subnets in the same broadcast domain.
-
You should never have two subnets in the same broadcast domain.
Possible but not common on IPv4. Entirely normal and supported on IPv6.
-
None of which is relevant to OP's problem. The subnets are on separate NICs as they should be.
-
Thank y'all guys more than clear that it is not possible to do it, I'm still open if there's any idea on how to do it. Thanx.
-
Do it in your wireless and switching (Layer 2) infrastructure.
Google wireless client isolation and switch port isolation. Look at your AP docs. Open a ticket with them.
-
"Entirely normal and supported on IPv6."
No it is NOT…. You do not route traffic between a link local and or globals on the same L2...
What part of this do you not understand?? You do not put 2 different global ipv6 prefixes on the same L2 and route between them.
Having a link local and global address or even a ULA on the same L2 is not the same thing..
-
Hi Jon
You seem to be stuck on IPv4 to the point you don't know how things are on IPv6. One example was our recent discussion about IPv6 transit networks, where you didn't seem to know IPv6 routing is done over link local addresses, not global or even local (ULA) addresses. IPv6 was designed to allow things that were never considered or unlikely to be done on IPv4. For example, it is understood that multiple prefixes on an Interface are normal. They could be global or local They're allowed and pfSense happily provides them. It's also possible to have multiple default gateways on a network, with priority set according to what's supposed to be the primary vs fall back. You might also have multiple gateways that provide specific routes to some destinations. All this and more is part of IPv6. One example I've read about for having global and local addresses on an interface is so that IoT, on the local prefix could be used, while also having global addresses for the Internet. You might want to read a book, such as IPv6 Essentials, from O'Reilly to learn more. I've read that and other books on IPv6. I'm currently reading IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6, from Cisco. In those books you'll find these things and more were intended when IPv6 was designed. IPv6 is about much more than just a larger address space.
-
Thank y'all guys more than clear that it is not possible to do it, I'm still open if there's any idea on how to do it. Thanx.
Not possible via pfSense or any other firewall unless it somehow integrates into your switch/AP. There are APs or switches that can support some forms of client isolation within a broadcast domain. I've never used one, but I know they exist.
None of which is relevant to OP's problem. The subnets are on separate NICs as they should be.
I totally misread the second paragraph. I saw his current setup was seperate interfaces, but I thought they were trying to combine them.
Hi Jon
… IPv6 was designed to allow things that were never considered or unlikely to be done on IPv4. ...
Having multiple subnets in the same broadcast domain has nothing to do with IPv4 vs IPv6. IPv6 may make certain aspects of it better or take advantage of certain aspects, but many of the downsides are exactly the same due to fundamental issues that are orthogonal to the Layer 3 protocol.
