Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Guest network block computer to computer

    Firewalling
    5
    12
    1208
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hagensieker last edited by

      I have two wifi access points.  One is on VLAN10 and is internet only and cannot see the other network.

      Is it possible to create rules that prevent any computer on this VLAN10 guest network from seeing another computer on the same VLAN10 network?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        No. That is same-segment traffic and must be blocked in your switch.

        The firewall is not involved in traffic between hosts on the same segment.

        1 Reply Last reply Reply Quote 0
        • H
          hagensieker last edited by

          @Derelict:

          No. That is same-segment traffic and must be blocked in your switch.

          The firewall is not involved in traffic between hosts on the same segment.

          Thanks.  I'll take a look at my switch config but I'm wondering if I can do that I have a TP-Link Easy Smart Switch 16 port.

          1 Reply Last reply Reply Quote 0
          • H
            hagensieker last edited by

            I need a layer 3 Managed Switch to do that, don't I?

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              Layer 3 won't get you anything. You need to block that at layer 2.

              Or put your guests on one segment and your private on another. In which case pfSense can firewall between them.

              1 Reply Last reply Reply Quote 0
              • A
                Alesk13Fr last edited by

                Hi,

                If all your device from this WiFi VLAN are WiFi client, check on you access point configuration, on some device you can find "isolate guest" or 'isolate client" option, with this, each client will be isolated from other WiFi client.

                Hope this help.

                Best regards,
                Alex.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  ^ exactly if what your trying to do is isolated wifi clients from each other on the same wifi network.  In a wired network it would be a private vlan..

                  Are you trying to prevent wifi clients from seeing wired clients on your vlan10 or other wifi clients and there are no wired devices on vlan10.. If this is a guest wifi network there shouldn't be anything on that vlan for guest to access other than pfsense as their gateway and other wifi clients maybe which you can stop with isolation via your AP..  What is the exact device your using for your AP?

                  1 Reply Last reply Reply Quote 0
                  • JKnott
                    JKnott last edited by

                    Is it possible to create rules that prevent any computer on this VLAN10 guest network from seeing another computer on the same VLAN10 network?

                    One common method is to use a VLAN and 2nd SSID.  The router is configured so that guest traffic is allowed access to the Internet only.  Many consumer grade routers support this, as does pfSense.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      One problem is that most consumer grade wifi routers use of guest ssid depend on the wifi router being the edge router doing the nat to the public internet.  The proper way to do this with pfsense is yes with your different ssids being on different vlans.  But it is rare for consumer wifi routers to support this, you might have some luck with 3rd party firmware like dd-wrt, openwrt, etc.

                      But your best bet is to just get a real AP with vlan support and use of a smart switch that also does vlans.. Now your cooking with gas in isolation of different network traffic on your network.

                      But sure if you take any home wifi router and use it as just an AP and connect this to a different network on pfsense be it native untagged or a vlan you can isolate that traffic from the rest of your network.

                      1 Reply Last reply Reply Quote 0
                      • JKnott
                        JKnott last edited by

                        But your best bet is to just get a real AP with vlan support

                        I have a TP-Link WA-901ND access point that supports VLANs and up to 4 SSIDs.  However, I discovered a problem with it.  ICMPv6 was leaking from the main LAN to the VLAN, with the result that devices connected to the guest SSID/VLAN were getting IPv6 addresses intended for the main LAN.  I have no idea why it would do that and the first support "tech" thought that was normal.  Another, more senior one agreed it was a problem, but no fix was forthcoming.

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          Problem with those consumer sort of devices, even a "AP" is the fixes and updates to their firmware is rare if ever.  Something like unifi I have seen fixes to firmware in a couple of days if a bug/issue is reported.  They are very active updates both on their controller software and firmware.

                          Those consumer type companies are more worried about selling the next model than keeping their previous model firmware updated with fixes and or features.

                          As to this issue you found with icmpv6 so it was the only thing leaking from the native untagged network to the vlans, there was no other flooding or bleed?  So it was "leaking" to all the vlans?  Or just a specific one?

                          Do you have the v4 model of that AP.. Last update I see for NA was oct 2015 for igmp proxy issue.

                          1 Reply Last reply Reply Quote 0
                          • JKnott
                            JKnott last edited by

                            I have a V2 model, with the firmware version 3.12.16 Build 130131 Rel.53760n, which is a beta version from Nov. 2013.  I only noticed ICMPv6 leaking and only in the one direction.  I just had VLAN 5 in use, so I can't speak about other VLANs.  My main network was on the main LAN with guests on VLAN 5.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy