LAN Firewall rules

  • I've been trying to set rules for the LAN, ea block remote desktop to certain machines in the network in the same LAN subnet.

    But none of the rules work, even block everything to that internal IP fails.

    This is probably due to the fact that the LAN interface on the pfsense is connected to a random switch port and the rest of the 20 clients are connected to the same switch.

    Connections between LAN ip's are obviously not going past the pfsense, it just goes from one switch port to the other.

    So this would be a physical problem with the switch setup. How would I get control over the lan itself? Would I need a layer 3 switch to do this?

  • I think the easy way would be to use the local firewall.

  • Local firewall? What do you mean? On the machines itself? Or an additional firewall ?

  • yes. On XP's local firewall you can specify by IP

  • Sure, that would work, but I would prefer blocking connections to a complete subnet range in the lan for example.

    I guess this would only be possible with a pfsense in between somewhere..

  • You can't centrally firewall machines within the same subnet! Interfaces within the same subnet communicate directly with each other. They only send traffic to the gateway when the destination address can't be routed directly to one of their local subnets. You would first need to logically isolate those machines so they cannot route to each other. Then, you would need to do central routing (and firewalling) for them.

    A hack, and it is a real dirty hack, would be to define every machine as its own subnet on the same physical segment and then define one interface on pfSense for each of the machines on the segment, then set up your rules. This is a really bad idea. It will probably break more than it fixes since the machines can't broadcast to each other any more and pfSense has to route every single packet. And even if you did that, since you'd be on the same physical segment, any user could get around it by just defining an IP in the segment they wanted to talk to.

    The short answer it it can't be done.