Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to allow broadcast traffic on a specific port to reach isolated devices

    Firewalling
    3
    3
    641
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joshproehl last edited by

      Summary: Internet-of-Things devices are untrustworthy and should be isolated from the private network. This is not difficult for routed traffic, but some of them utilize discovery via Broadcast, which I'm having trouble figuring out.

      Several types of devices must use WEP rather than WPA, and changing the password regularly isn't possible, so maintaining a unique and isolated WLAN is critical.

      Currently I have private network on VLAN10 and IoT network on VLAN20, allowing them to operate on independent and isolated WLANs. As an example device let's use LFIX bulbs, which are discovered via a broadcast packet on a specific port. Ideally I'd like to be able to allow any devices on the private VLAN to discover the bulbs on the IoT VLAN, but as a fallback to that I'd like to be able to have a specific linux host reach the bulbs via broadcast.  I realize this rather violates the concept of a VLAN, so I'm open to other suggestions about how to achieve the end result.

      I've had trouble finding suggestions for this, but "broadcast repeater" is an idea that I've seen, but not something that seems to be available with PFSense.

      My ultimate fallback is to put a single linux host on both VLANs and let it be the sole controller of the bulbs, which is probably a more "correct" implementation, but it's just not as functional unfortunately.

      If anyone has any suggestions about which direction I can take I'd really appreciate it!

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        A dedicated management host is the best way to do that.

        You really don't want to leak traffic to/from those, it defeats the point of isolating them in the first place. Something like Avahi might help, but ultimately it's a bad idea.

        And WTF is still operational that still only uses WEP? That may as well not use any security at all.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          "Several types of devices must use WEP rather than WPA"

          Yeah which devices - those devices need to be replaced if they only support WEP..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

          1 Reply Last reply Reply Quote 0
          • First post
            Last post