[SOLVED] Bridge or Tunnel Specific MAC from OPT1 to LAN



  • I am running pfSense 2.3.2-RELEASE-p1.

    There are 3 interfaces, with each one having separate physical connections (cabling, switches, access points, etc).
    WAN > internet
    LAN > trusted "staff" network
    OPT1 > untrusted "guest" network

    I have one specific device on OPT1 (a controller for a digital sign) that I would like to manage from the LAN and block other users on OPT1.  Due to physical layout of building, I am unable to connect it directly to the LAN, it's stuck on OPT1.  Device itself is not configurable, so I can't run it through a VPN or something like that.

    Is there a way to bridge or tunnel this one device so that it effectively acts as if it's on the LAN?  I don't want to bridge the entire networks together to keep the "guests" out of the "staff" stuff.  Is this possible with firewall rules?

    Understand any MAC identification is vulnerable to be be spoofed, but it's a low enough risk given the "guest" userbase.

    Thanks for your help!



  • What are you trying to actually do with this sign controller, or more specifically what is the problem to be solved?  LAN has an Allow for Any rule so you can access the OPT1 controller from LAN.  Users on OPT1 interact within their own network without touching the firewall, so you cannot use firewall rules to control access to OPT1 from OPT1.



  • Thanks for the quick response.

    I'm not 100% sure what the sign controller is doing, I believe it is running some sort of server that manages the actual information displayed.  It has a specific program that you run on your PC to connect to the sign (over the network) and "push" the words/pictures you want to show.  It doesn't seem to have any authentication built in, so if a "guest" on OPT1 had the same software, they could theoretically change the information on the sign.  My attempted solution was to prevent them from being able to connect to it at all.

    I hadn't thought about OPT1 users not going through the firewall to talk to each other, but of course that makes sense now.

    I'm not very familiar with VLANs.  Is this a use case they they could handle?  Instead of physically separating the two networks, can I bridge them (physically) and then use two VLANs to keep "guests" out of "staff" network?  Ultimately I'm trying to keep the "guests" away from networked drives, printers, etc on the "staff" network.

    If that doesn't work, sounds like I need overcome the building layout problem and physically get cable from the LAN "staff" network over to the sign controller.

    Thanks again.



  • if a "guest" on OPT1 had the same software, they could theoretically change the information on the sign

    How likely do you think that is?  I'm guessing not very, unless you're running the network at the sign company ;D  You might be spending time on a super deluxe corner-case.

    I'm not very familiar with VLANs.  Is this a use case they they could handle?

    I'm not strong with them either, but I believe that could be done.  Of course, it's dependent on whether or not you have VLAN-capable, managed switches already in place.

    I need overcome the building layout problem and physically get cable from the LAN "staff" network over to the sign controller.

    Nothing a drill and a long cable can't solve.



  • @KOM:

    How likely do you think that is?  I'm guessing not very, unless you're running the network at the sign company ;D  You might be spending time on a super deluxe corner-case.

    Agree, probably unlikely.  I can probably rely on security through obscurity.  Even if someone had the software they'd have to figure the horrible UI.

    @KOM:

    Of course, it's dependent on whether or not you have VLAN-capable, managed switches already in place.

    Oh, well in that case VLAN is out.  Just using simple consumer-grade (unmanaged) switches.

    @KOM:

    Nothing a drill and a long cable can't solve.

    That does sound like the way to go.  I'll get my flashlight  :)

    Thanks again for your help, forum maintenance question now (first time caller, long time listener).  Do I need to do something to mark this thread as closed?



  • Moat odn't but oyu can go back and edit the topic if you like to something like [SOLVED].


Log in to reply