Isolation IPs from the wired network of the same subnet
-
@jotagsoares said in Isolation IPs from the wired network of the same subnet:
As in the isolation of the AP
There it's already done the way I proposed. Why would you want to do it differently on a wired network?
@jotagsoares said in Isolation IPs from the wired network of the same subnet:
but I still cannot solve this issue
Get a managed switch that can do private VLANs.
Did you read and understand my previous post (then use on that post) or was my time spent explaining it effectively useless? -
@jotagsoares said in Isolation IPs from the wired network of the same subnet:
but it happens that today a desktop connected to the wired network can't ping or share folders with others.
Not true at all.. Your just running multiple layer 3 on the same layer 2 with that mask.. It is no way isolated...
Lets ask again =- what 48 port switch are you currently using?? Or thinking of getting - your using what currently??
it will be necessary to acquire a manageable switch (which in our case is 48 ports) for the creation of vlans.
You could mask /32 all you want on your clients - It's not ISOLATED... its NOT!!! Just how your client can talk to the gateway which is NOT inside it's /32 mask - it could talk to ANY device on that same layer 2..
I can suggest a 48 port switch if you want that supports private vlans. You might also do it with port security - but be much more pita to setup and maintain if devices move around.
-
In short, you mean that the only way to isolate clients in a wired network is with VLANS?
-
You can isolate networks with vlans. What your wanting to do is isolate clients on the same network - this is called a private vlan..
https://en.wikipedia.org/wiki/Private_VLAN
-
@jotagsoares said in Isolation IPs from the wired network of the same subnet:
you mean that the only way to isolate clients in a wired network is with VLANS?
Didn't I tell you already? Man...
-
Yeah you did ;)
Maybe this analogy will help. You setting a /32 bit mask would be like putting blinders on a horse... While the horse might not think there are other horses next to it while its running. The jockey sure can see them - ie the user ;) So unless your user is as stupid as a horse ;)
Your not getting anything be using some mask trick to try and keep these machines from talking to each other. The users are still on the same wire, be it you change their mask or not.. If you want to isolated them that is down on the switch level. Has zero to do with pfsense or the dhpcd and what mask you hand out.
-
@jahonix This maybe a non-standard feature of Microtik that can't be easily replicated with a pfsense.
-
@sammywoo It's not a "non-standard feature", it's bullshit. Security by obscurity has never proven to be good.
-
bullshit is a good word to describe such nonsense for sure. Shit windows and many os'es would bitch at you trying to set a gateway when you have a /32 bit mask. Since any gateway you set would be outside your mask.
That fact that you can use the internet, ie talk to your gateway which is outside your mask - shows you that you can talk to other devices ;)
So why would you think you could not talk to other devices on the same wire?
-
What device is actually providing the WiFi?
Even with most dumb switches (as many pass VLAN tags without messing with them) you should be able to tell the the WiFi AP to use a different network and VLAN for the traffic back to the pfSense box where you can ensure isolation. Or plug it into its own LAN port on the pfSense box.
-
As others have said, the proper way to do this is at layer 2. In the switch or in the wifi gear.
MikroTik might have some mechanism for this, considering their attempted penetration into the WISP markets but, in some form or another, it will boil down to layer 2 isolation.
If you have host A on 192.168.1.100/24 and host B on 192.168.1.101/24 and both are on the same local network, the only way they cannot communicate is isolation at layer 2.
If you can come back with more details about what Mikrotik is actually doing we might be able to help develop an alternative. But it will likely be in your switching layer, not at the firewall itself.
-
Indeed, I have a bit of an isolation hack on my own network as I share it with some friends.
All four ports on pfSense are bridged and I enabled packet filtering on that bridge. I then have a firewall rule that allows my friends static IPs to only talk to the firewall itself, so while some broadcast traffic might slip through (I only have it blocked in one direction) they can't accidentally ChromeCast to my TV like they did once.
But honestly, if all you need is full isolation then its just easier to have it on a completely different LAN. Although that will not isolate the WiFi clients from each other, that has to be done in the WiFi access point itself.
-
Depends. Layer 2 isolation is a valuable tool especially in public access environments such as hotels, etc.
That said, any leverage of a pfSense bridge to accomplish the task is likely pretty far from an optimal solution.
-
Agreed, it was just convenient for my setup as its not vitally important my friends are blocked from the LAN, it just prevents little mishaps like described.
After all, if they change devices they will still get an IP from the dynamic pool which will bypass my blocks (although I might add those to the list) or they specify a static IP which would almost DEFINITELY bypass the rules.
Although I have the added benefit of knowing not only that those people know sod-all about networking, they wouldn't even bother to try learning about it either. I can't even convince them to connect to 5Ghz over 2.4Ghz as the whole concept of it not "just working" freaks them out. ;)
For true isolation, VLANs or just having the AP into its own ethernet port with its own network range is key. There is in fact no logical reason to HAVE them on the same subnet in the first place.
-
But then you need isolation in the AP to keep them from each other.
We're not really talking about isolating subnets. That's done in the firewall.
We're talking about isolating hosts in the same subnet from each other, but not from the gateway or other necessary hosts.
-
Right, I got completely confused about what the OP was trying to achieve here.
-
He was/is trying to create isolation of devices on the same layer 2 by just telling them their mask is /32 - which as we all know is just borked.
-
A /32 mask is used by some routers to designate an interface, rather than a network.
@alex-atkin-uk said in Isolation IPs from the wired network of the same subnet:
Even with most dumb switches (as many pass VLAN tags without messing with them)
No switch should touch the VLAN tag, except a managed switch configured for that VLAN. Dumb switches should pass VLAN tags untouched. The exception would be ancient gear that's incapable of passing a frame with both a VLAN tag and full 1500 byte payload, as it would be too large for it to pass. In that case, the frame should be dropped entirely, not passed on with anything mangled.
-
@derelict said in Isolation IPs from the wired network of the same subnet:
We're talking about isolating hosts in the same subnet from each other, but not from the gateway or other necessary hosts.
The only way I'm aware of to do that is a firewall running on the device, that's capable of filtering on MAC addresses. The firewall on OpenSUSE is capable of that.
-
Some switches have a Protected / Private VLAN edge port as John previously mentioned.
Features of a protected port: Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and LAGs) that share the same VLAN. Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications. Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN. Both ports and LAGs can be defined as protected or unprotected.