Communication between devices
-
Hi,
I have a mainboard with 1 nic and an extra quad nic.
One of the ports of the quad nic is set up as wan (igb0) and lan is igb0, opt1 is igb2 opt2 is igb3 and opt3 is em0.
I bridged lan and the opt ports.
On lan is my external router for the wifi hosts, on opt1 is my nas and pihole e.g.Now I can not access to my nas from wlan devices, so I have set up a rule that I can access the specific ip address from the nas from my computers ip.
The nas is at 192.168.1.2, my computer is 192.168.1.100, dhcp range is from 100 up to 254.
Is this because the nas is outside of the dhcp range?And also I want to block communication from some devices to each other.
I have tried to block 192.168.1.2 (nas) to 192.168.1.3 (pihole) but they are still able to talk to each other.
At least I can use putty to login to my pihole via ssh…What is going on here?
I am a newbie to pfsense, but I learn quick :) -
Can you clarify how the wifi is setup? Is the wifi router in AP mode or DHCP disabled and not using its wan port?
If you created a 2nd network behind pfsense with overlapping subnets it would definitely cause the problem you were describing with Wi-Fi machines not reaching the nas.
Lastly you can't firewall with pfsense between 2 machines on the same subnet.
-
Can you clarify how the wifi is setup? Is the wifi router in AP mode or DHCP disabled and not using its wan port?
The wifi router is in ap mode with dhcp disabled. But the router is connected via wan to the lan port from pfsense.
But every device connected via wifi is getting an ip from 100 up, so i think there is everything fine.If you created a 2nd network behind pfsense with overlapping subnets it would definitely cause the problem you were describing with Wi-Fi machines not reaching the nas.
No, i have not created an 2nd network, i just bridged all the ports, that they are all in one network or subnet.
On the bridge "interface" i enabled the dhcp and on the interfaces itself i set dhcp to none.
So every device is in subnet 192.168.1.x
Dhcp range is up from 100, below that i do some static reservations for my nas e.g.Lastly you can't firewall with pfsense between 2 machines on the same subnet.
I did exactly this one:
https://doc.pfsense.org/index.php/Interface_BridgesAt the moment i can prevent communication between my lan devices, because they are on a manageable switch (at least i can tell the switch to disable or allow communication at all, but not per port), but i can't disable communication between wlan devices. Do i have to create extra subnets for that?
And you said, that i can't firewall on the same subnet. That is not correct to 100%, because i can not reach my nas from my phone over tcp 445 (smb) without adding a rule, that enables this. But i can not prevent communication on the same port to reach my brothers computer from my phone, which is also on wlan.
So from my understanding i can only firewall between two physical interfaces although they are in the same subnet.I only didn't change net.link.bridge.pfil_member and net.link.bridge.pfil_bridge (see link), is it then possible to firewall like i want?
-
https://www.infotechwerx.com/blog/Creating-a-Simple-pfSense-Bridge
Maybe i have to try around with those two settings, i will report tomorrow.
-
Why the heck do so many unexperienced users bridge interfaces? What are the thoughts when doing so?
Bridging interfaces is not a general purpose replacement for a switch. Never was, never will be.Even your cited site reads: "A good rule of thumb is switch when you can, bridge only if you must."
One of the ports of the quad nic is set up as wan (igb0) and lan is igb0, …
as the Highlander used to say: there can be only one (on igb0 without VLANs).
For the other interfaces better get a $5 switch hocked up to LAN and connect hosts, NAS and WLAN APs there. Way better performance and zero problems with traffic between devices.
-
I have tried to block 192.168.1.2 (nas) to 192.168.1.3 (pihole) but they are still able to talk to each other.
::)
How did you set net.link.bridge.pfil_member and net.link.bridge.pfil_bridge from system tunables?Imagine your bridged interfaces to be a switch (just for now, forget about that in 5 min again!). Traffic between hosts on the same subnet will not hit the router (it is not routed to another network, right?) and therefore cannot be filtered.
Put them on different subnets (that's what multiple interfaces are there for!) and filter between them. But don't expect near line-speed traffic to/from your NAS! -
For the other interfaces better get a $5 switch hocked up to LAN and connect hosts, NAS and WLAN APs there. Way better performance and zero problems with traffic between devices.
But how can i prevent communication from specific devices to each other in a setup like this?
I think with vlans, but how do i tag each device then, when it's all on one port of pfsense?How did you set net.link.bridge.pfil_member and net.link.bridge.pfil_bridge from system tunables?
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1Imagine your bridged interfaces to be a switch (just for now, forget about that in 5 min again!). Traffic between hosts on the same subnet will not hit the router (it is not routed to another network, right?) and therefore cannot be filtered.
Put them on different subnets (that's what multiple interfaces are there for!) and filter between them. But don't expect near line-speed traffic to/from your NAS!So forget the $5 switch for all devices?
Hook up wlan to opt1? And nas to opt2? Wired devices to lan? -
I wrote that walkthrough.
JUST GET A SWITCH!
WHY do you people do this bridging nonsense?
Preventing clients on the same subnet from communicating with each other is called layer 2 isolation.
Most quality APs will have a setting that prevents clients from being able to communicate with each other. This might be called Wireless Client Isolation
Most switches (even cheap ones - but they have to be at least "web smart" "managed" switches) have the ability to create isolated ports. Often called things like private vlan edge or traffic segmentation.
These can often be leveraged so clients can only reach the uplink (router/server) ports and cannot communicate with each other.
 -
I think with vlans, but …
Forget about VLANs for now, you would need a managed switch. Get your basic setup working first.
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1And you already know what that means or it's like this just because it's in the tutorial?
So forget the $5 switch for all devices?
No. 5 minutes are over. Get a $5 switch. Forget about the rest.
-
Most quality APs will have a setting that prevents clients from being able to communicate with each other. This might be called Wireless Client Isolation
Most switches (even cheap ones - but they have to be at least "web smart" "managed" switches) have the ability to create isolated ports. Often called things like private vlan edge or traffic segmentation.
Already activated that on my asus router, which is in ap mode.
And my switch is also able to isolate the ports.But for wlan i can only disable it for all devices and not specific ones.
Maybe i want something, that is just not working.And i created the bridge, because i had a quad nic at home, so why not use it..
Forget about VLANs for now, you would need a managed switch. Get your basic setup working first.
I have a switch, which is able to do vlans, but my router is not.
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1And you already know what that means or it's like this just because it's in the tutorial?
Yes, that means, that filtering on my bridge is enabled now and not on the nic ports.
-
Maybe you want something that is just not possible.
Isolation is generally on a per-network, not a per-client basis.
If you want different isolation behavior, put your clients on different networks. Many ways to do this. With real gear you can even put different clients on the same wireless network on different VLANs that have different behavior.
None of this has anything to do with your layer 3 firewall (pfSense).
-
Here are my results:
- Resetting to default
- Configured WAN and LAN in shell
- WAN as dhcp and LAN as static ipv4 with dhcp server (192.168.2.1/24)
- Created new interface WLAN, same settings as LAN (192.168.3.1/24)
- Created new interface for the nas, only static ipv4, no dhcp server (192.168.1.1/24)
- Created rule on LAN, WLAN and NAS interface to allow traffic to any (just WAN didn't work)
- Created another rule under LAN to block access to WLAN and NAS
- Created another rule under WLAN to block access to LAN and NAS
- Created another rule under NAs to block access to LAN and WLAN
- Created rules for the specific devices to talk to each other on the ports i want (445 for smb e.g.)
- Blocked communication between the wlan devices on the router
- Blocked communication between the lan devices with my switch
No bridge, no nothing, it's now working as i wanted.
Only issue i had was with port forwarding, but i had to change the firewall from auto to hybrid under Outbound. -
- Created new interface WLAN, same settings as LAN (192.168.3.1/24)
- Created new interface for the nas, only static ipv4, no dhcp server (192.168.1.1/24)
Just for optical reasons : why not keeping LAN as default = 192.168.1.1/24 - this segment only hosts trusted devices - its ok as it is - no settings needed.
"NAS" as 192.168.2.1/24 - just a question : your NAS is not-trusted ? (like it's a NAS but also a web server …)
"WLAN" as 192.168.3.1/24 - here are the scary devices.and, for example, your WAN as 10.0.0.0/24 (just inform the upstream router, its DHCP server, to do so).
- Created rule on LAN, WLAN and NAS interface to allow traffic to any (just WAN didn't work)
You wanted to check if we were still awake, right ?
If not => ;D -
No bridge, no nothing, it's now working as i wanted.
Great, isn't it? Without any strange fiddling just straight work.
I appreciate you followed this forum's advise and that you posted back! -
"Only issue i had was with port forwarding, but i had to change the firewall from auto to hybrid under Outbound."
Huh?? what out outbound nat have to do with port forwarding? Only reason you would have to switch out hybrid is if you were using a vpn or something?
