Guest network block computer to computer



  • I have two wifi access points.  One is on VLAN10 and is internet only and cannot see the other network.

    Is it possible to create rules that prevent any computer on this VLAN10 guest network from seeing another computer on the same VLAN10 network?


  • LAYER 8 Netgate

    No. That is same-segment traffic and must be blocked in your switch.

    The firewall is not involved in traffic between hosts on the same segment.



  • @Derelict:

    No. That is same-segment traffic and must be blocked in your switch.

    The firewall is not involved in traffic between hosts on the same segment.

    Thanks.  I'll take a look at my switch config but I'm wondering if I can do that I have a TP-Link Easy Smart Switch 16 port.



  • I need a layer 3 Managed Switch to do that, don't I?


  • LAYER 8 Netgate

    Layer 3 won't get you anything. You need to block that at layer 2.

    Or put your guests on one segment and your private on another. In which case pfSense can firewall between them.



  • Hi,

    If all your device from this WiFi VLAN are WiFi client, check on you access point configuration, on some device you can find "isolate guest" or 'isolate client" option, with this, each client will be isolated from other WiFi client.

    Hope this help.

    Best regards,
    Alex.


  • LAYER 8 Global Moderator

    ^ exactly if what your trying to do is isolated wifi clients from each other on the same wifi network.  In a wired network it would be a private vlan..

    Are you trying to prevent wifi clients from seeing wired clients on your vlan10 or other wifi clients and there are no wired devices on vlan10.. If this is a guest wifi network there shouldn't be anything on that vlan for guest to access other than pfsense as their gateway and other wifi clients maybe which you can stop with isolation via your AP..  What is the exact device your using for your AP?



  • Is it possible to create rules that prevent any computer on this VLAN10 guest network from seeing another computer on the same VLAN10 network?

    One common method is to use a VLAN and 2nd SSID.  The router is configured so that guest traffic is allowed access to the Internet only.  Many consumer grade routers support this, as does pfSense.


  • LAYER 8 Global Moderator

    One problem is that most consumer grade wifi routers use of guest ssid depend on the wifi router being the edge router doing the nat to the public internet.  The proper way to do this with pfsense is yes with your different ssids being on different vlans.  But it is rare for consumer wifi routers to support this, you might have some luck with 3rd party firmware like dd-wrt, openwrt, etc.

    But your best bet is to just get a real AP with vlan support and use of a smart switch that also does vlans.. Now your cooking with gas in isolation of different network traffic on your network.

    But sure if you take any home wifi router and use it as just an AP and connect this to a different network on pfsense be it native untagged or a vlan you can isolate that traffic from the rest of your network.



  • But your best bet is to just get a real AP with vlan support

    I have a TP-Link WA-901ND access point that supports VLANs and up to 4 SSIDs.  However, I discovered a problem with it.  ICMPv6 was leaking from the main LAN to the VLAN, with the result that devices connected to the guest SSID/VLAN were getting IPv6 addresses intended for the main LAN.  I have no idea why it would do that and the first support "tech" thought that was normal.  Another, more senior one agreed it was a problem, but no fix was forthcoming.


  • LAYER 8 Global Moderator

    Problem with those consumer sort of devices, even a "AP" is the fixes and updates to their firmware is rare if ever.  Something like unifi I have seen fixes to firmware in a couple of days if a bug/issue is reported.  They are very active updates both on their controller software and firmware.

    Those consumer type companies are more worried about selling the next model than keeping their previous model firmware updated with fixes and or features.

    As to this issue you found with icmpv6 so it was the only thing leaking from the native untagged network to the vlans, there was no other flooding or bleed?  So it was "leaking" to all the vlans?  Or just a specific one?

    Do you have the v4 model of that AP.. Last update I see for NA was oct 2015 for igmp proxy issue.



  • I have a V2 model, with the firmware version 3.12.16 Build 130131 Rel.53760n, which is a beta version from Nov. 2013.  I only noticed ICMPv6 leaking and only in the one direction.  I just had VLAN 5 in use, so I can't speak about other VLANs.  My main network was on the main LAN with guests on VLAN 5.


Log in to reply