Private VLANs and proxy ARP, for firewalling between L2 isolated hosts on same subnet



  • Hello,

    I have pfSense running in a VM on a Linux machine. I have several other VMs (Linux and Windows) running on the same physical host, each of which is connected to a software bridge. I would like to force all hosts to only be able to communicate with each other via the firewall, yet use a single subnet for providing IPs to all isolated hosts.

    If it helps to have some context for why I want to do this, I actually have several scenarios, but I'll share the most obvious one. I have several VMs in a DMZ, which each host running a single service. I want to ensure that a host in the DMZ is compromised that it can't just move laterally in the L2 domain to another host in the DMZ. However, complete isolation of hosts from each other isn't possible because there are occasions where they need to talk to each other. Rather than resort to per host firewalls (if a host is pwned, the host based firewall can be subverted), I'd like to control host to host traffic with pfSense. Lastly, using a single subnet for all the DMZ hosts simplifies my subnetting and routing, because I really don't want to be assigning /30 subnets to each host, sticking each one on it's own bridge and then having to manage a sprawling mess of interfaces on pfSense.

    If I were doing this on physical hardware I think I would do it by configuring private VLAN (sometimes called isolated ports) on my switch and designating the uplink port to be a promiscuous port (see RFC5517). My firewall would be attached to the uplink port and would use proxy ARP to respond to ARP requests on behalf of the hosts attached to each private VLAN port, so that traffic could be "routed" between isolated hosts, while the firewall filters the host to host traffic.

    I'm trying to work out an equivalent configuration with pfSense and I wondering if anyone here has set up something like this before?

    On the Linux bridge, I know that I can accomplish the client to client isolation by using ebtables. It's the pfSense side that I need help with.

    Thanks in advance for any insights you're willing to share!


Log in to reply