"hotel mode" for an IP range?
-
Hey all,
Can someone give me some insight on how to setup a firewall rule(s) to isolate a range of IP addresses on a LAN so they can't see each other?Thank you!
-
That's a function of the access point, not pfSense. For example, here's what it says with my TP-Link AP:
Enable AP Isolation - Isolate all connected wireless stations so that wireless stations cannot access each other through WLAN. This function will be disabled if WDS/Bridge is enabled.
-
Yes...I'm aware that is an AP function, but I'm trying to achieve a similar function with a range of IP on a LAN.
-
Yeah there really is no way to do that on your L3 router.. That is a function of L2.. Your switch(es), your AP(s)..
Pfsense can isolate different L2s from each other, because to cross that boundary you are at L3.. which pfsense then can firewall while its routing between.
What switch(es) do you have? Many support what is commonly called a private vlan.
https://en.wikipedia.org/wiki/Private_VLAN -
Thanks for the info.
I have a Dell s4048-on FTOS 9.14 and I'm connecting to Proxmox with OVS bridges. -
Doesn't your AP support that? I'm getting the impression you're trying to separate guests from regular users? Is that correct? If so, what you need is multiple SSIDs and a VLAN.
-
@tl5k5 said in "hotel mode" for an IP range?:
I have a Dell s4048
Quick google sure looks like your good
https://www.dell.com/support/manuals/us/en/04/force10-s4048-on/s4048_on_9.9.0.0_cli_pub-v1/private-vlan-pvlan?guid=guid-7e847acf-6145-40cb-a1e6-227f6cf4d47c&lang=en-usThe private VLAN (PVLAN) feature of the Dell Networking operating software is supported on the platforms.
Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same private VLAN. A private VLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. The Dell Networking OS private VLAN implementation is based on RFC 3069.
For more information, refer to the following commands. The command output is augmented in Dell Networking OS version 7.8.1.0 at later to provide PVLAN data: -
@JKnott said in "hotel mode" for an IP range?:
Doesn't your AP support that? I'm getting the impression you're trying to separate guests from regular users? Is that correct? If so, what you need is multiple SSIDs and a VLAN.
I'm guessing that the OP is trying to keep the clients (doesn't say if they are wifi or wired) from seeing each other after they join the network. But, it's just a guess...
I would actually be surprised to see "wired" in a hotel setting anymore.
Jeff
-
I think he was just using that as example.. Here stated here that he wants to do it on his lan.
@tl5k5 said in "hotel mode" for an IP range?:
Yes...I'm aware that is an AP function, but I'm trying to achieve a similar function with a range of IP on a LAN.
-
Trusted and non trusted users on the same LAN ?
Don't. Many have tried. None came back with a nice story.pfSense has a captivate portal. Give it a separate NIC - this is not some optional choice. :
Keep LAN for internal and/or trusted users.
Easy to set up - easy to maintain.
You could add some complicated-sauce by adding a VLAN solution, some AP's support multiple SSID's that uses multiple VLAN's. Just one NIC will do in that case.
But hey, with NIC costing as much as a couple of cigarettes, why adding the sauce ?I'm using myself pfSense as stated above : a LAN for the companies 'private' need, and another interface - NIC for my clients - being a hotel. Works great, for a decade or so.
-
Thanks everyone.
I'm just going to separate my groups of workstations into different VLAN's. I just thought there might be a clean way to do this on the LAN.Thanks again!
-
@tl5k5 said in "hotel mode" for an IP range?:
I just thought there might be a clean way to do this on the LAN.
There is a clean way - its called private vlans. But this isolates all clients on that network from each other. If you wanted client X to talk to client Y then you would have to manipulate the ports specifically they are connected to, can not do that via IP..
If you don't want group A talking to group B.. Then yeah you do that via vlans, and now you can filter traffic at your L3 router..