Layer 2 Isolation with same class network (Not Vlan)
-
No dude - it won't work without a smart/managed switch that has this feature... The switch has to support it! Pfsense is a L3 router/firewall - it doesn't do anything to control any switch..
I highly doubt its on any sort of roadmap.. Since it would not be possible to implement control of some 3rd party switch, that could be almost anything..
You set it on your L2 device..
Example - if I wanted private vlans I would set them up here on my SWITCH!!! pfsense doesn't need to know or care about it.. There is zero reason for any such support on a L3 firewall.
-
you need to understand that stuff like zyxel and tplink are 2 device in one router/firewall + internal switch, they are therefore able to put that option in their devices
pfsense is only a router/firewall and it does not have a managed layer 2 switch inside, ... you said before "Menu Layer 2 isolation"
so it's not something that they can implement with ony an update of the software, the right physical layer 2 switch is also needed -
zyxel and tplink also make switches... So they are more likely to have a central control method that can control their switches.. Can promise you if I used switch brand X with zyxel for example it sure wouldn't be able to setup the private lan on some 3rd party branded switch..
Unifi for example has their central control that works when your whole environment is their hardware - so that in the control software you could setup say private vlans..
If netgate at some point in the future got into making netgate branded switches and AP... Then sure you most likely would be able to control such a setting in pfsense or whatever control software they used to manage the complete environment..
But currently that is not the case, pfsense is a L3 firewall/router and does not or have any method of controlling the L2 devices you might have.
-
Hi Johnpoz.
in the switch (layer 2) i don't configure nothing (function with default configuration switch, not central control or smart control) and it works properly.If pfsense don't support this option not problem.
It not possible utilize pfsense for this feacture.
By.
-
Dude - I don't know what you think is happening or not happening... But sorry you can not stop a devices from talking to each other on the same network without doing it at the L2 device... just not possible.
Unless your router was arp poisoning every single IP pointing only to its OWN mac, etc.. which would just be nuts..
On a device, look in your arp table... What do you see for the other IPs in your network.
Example
$ arp -a Interface: 192.168.9.100 --- 0xb Internet Address Physical Address Type 192.168.9.10 00-11-32-7b-29-7d dynamic 192.168.9.11 00-11-32-7b-29-7e dynamic 192.168.9.99 70-6e-6d-f3-11-93 dynamic 192.168.9.253 00-08-a2-0c-e6-24 dynamic 192.168.9.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 239.255.255.250 01-00-5e-7f-ff-fa staticSo when this device, 192.168.9.100 wants to talk to 192.168.9.10 for example.. Has zero use for the router, doesn't send the traffic to the router.. The router could be off.. And can still talk to 9.10
Other option could be that your dhcp server on the device only hands out /32 masks.. To think the device is only network of 1 IP... But this doesn't not actually prevent communication - its a stupid trick... Its not actually isolating anything... Client could just change their mask, or setup a static arp, etc. etc.. Its not actual security by any means.. But you could do such a stupid trick via the dhcp server, not sure if pfsense allows for altering what mask gets handed out... But just run some other dhcp server that allows such stupid non-security tricks.
What is the mask on your devices? Do an ipconfig on your machine.
$ ipconfig Windows IP Configuration Ethernet adapter Local: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.9.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.253Whats the mask??
BTW - if pfsense did allow this in the gui, I would be disappointed to say the least.. Since its NONSENSE, its not actual security.. Which is what pfsense is about.. Not stupid user tricks to think something is more secure than it is..
To actually secure devices from talking to each other that are on the same L2 network, you have to control the traffic at the L2 device that passes the traffic.. Any sort of tricks to get the client to think its in a smaller network than the actual L2 is, is nothing but smoke and mirrors and not valid security.
-
@Zilog When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly. The firewall (the pfSense node) is not involved at all. You could turn the firewall off and those hosts could still communicate with each other.
As has been said several times, preventing such communication is a function of the Layer 2 device (the switching layer such as a switch or a wireless access point) not the Layer 3 device (the router/firewall).
This is not unique to pfSense. It is how IP on broadcast networks works.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@Zilog said in Layer 2 Isolation with same class network (Not Vlan):
The question is the Pfsense support "Layer2 Isolation" or not, if not is in program to develop it?
Again, you're mixing layers. IP is layer 3 only. That said, there is some gear that supports both layer 2 and 3. For example, I have worked with Adtran gear that's a router and a managed switch in the same box. That's the only way you're going to get L2 & 3 in the same box. As for private LANs, that often happens with access points, where devices are not allowed to communicate directly. I also have a managed TP-Link switch that has something called port based VLAN, where I can put individual ports onto VLANs that other ports can't reach.
-
I do what what you are asking every day. And as stated by others it need to handled by the switch, not the pfsense router.
pfsense creates your LAN and "send" the LAN to a switch or access point and your client will join the LAN through this switch or access point.
As default on you LAN all clients can see each other and you want to isolate then so they cannot see each other.
It is quite easy. But it is not done in pfsense. It is done in your switch. You log into your switch (need to be managed to do this) either using a gui or cli depending on model. The command depends on the model and age of that model. Old HP will be "filter source-port..." and newer HP/Aruba would be protected port. On ubiquiti it can be done in gui as protected port. Basically you tell your switch the ports that the other ports can communicate with. If port 24 is uplink to router/pfsense and all ports are protected except port 24 than all ports can send data to port 24 only and not to each other.
Again, isolation without vlans is done in the switch. Not in pfsense/router.
-
@Derelict said in Layer 2 Isolation with same class network (Not Vlan):
When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly
And this is so easy to prove. OP- turn off your router completely removing it from the equation and notice that your devices in the same subnet still happily communicate with each other. (caveat- as long as your router does not also house the "switch".)
-
@chpalmer said in Layer 2 Isolation with same class network (Not Vlan):
(caveat- as long as your router does not also house the "switch".)
And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.
-
@Derelict said in Layer 2 Isolation with same class network (Not Vlan):
@chpalmer said in Layer 2 Isolation with same class network (Not Vlan):
(caveat- as long as your router does not also house the "switch".)
And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.
Oops.. very true.
