Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN Firewall rules

    Firewalling
    3
    6
    4379
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AudiAddict last edited by

      I've been trying to set rules for the LAN, ea block remote desktop to certain machines in the network in the same LAN subnet.

      But none of the rules work, even block everything to that internal IP fails.

      This is probably due to the fact that the LAN interface on the pfsense is connected to a random switch port and the rest of the 20 clients are connected to the same switch.

      Connections between LAN ip's are obviously not going past the pfsense, it just goes from one switch port to the other.

      So this would be a physical problem with the switch setup. How would I get control over the lan itself? Would I need a layer 3 switch to do this?

      1 Reply Last reply Reply Quote 0
      • P
        Perry last edited by

        I think the easy way would be to use the local firewall.

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • A
          AudiAddict last edited by

          Local firewall? What do you mean? On the machines itself? Or an additional firewall ?

          1 Reply Last reply Reply Quote 0
          • P
            Perry last edited by

            yes. On XP's local firewall you can specify by IP

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • A
              AudiAddict last edited by

              Sure, that would work, but I would prefer blocking connections to a complete subnet range in the lan for example.

              I guess this would only be possible with a pfsense in between somewhere..

              1 Reply Last reply Reply Quote 0
              • T
                tlum last edited by

                You can't centrally firewall machines within the same subnet! Interfaces within the same subnet communicate directly with each other. They only send traffic to the gateway when the destination address can't be routed directly to one of their local subnets. You would first need to logically isolate those machines so they cannot route to each other. Then, you would need to do central routing (and firewalling) for them.

                A hack, and it is a real dirty hack, would be to define every machine as its own subnet on the same physical segment and then define one interface on pfSense for each of the machines on the segment, then set up your rules. This is a really bad idea. It will probably break more than it fixes since the machines can't broadcast to each other any more and pfSense has to route every single packet. And even if you did that, since you'd be on the same physical segment, any user could get around it by just defining an IP in the segment they wanted to talk to.

                The short answer it it can't be done.

                -Ted-

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post