Layer 2 Isolation with same class network (Not Vlan)

Zilog

Hi to all,
i have two client in the same class of network 192.168.1.0/24
_PFsense 192.168.1.1
_Swtich Layer 2
_Client A 192.168.1.10
_Client B 192.168.1.11

The client must be in the alway network , not vlan.
It possibile active layer 2 isolation in such a way that client 1 not see client 2 and the other way around.

Thanka a lot for all support.
By

Derelict

That will be a function of your Layer 2 device, not your router (layer 3 device).

johnpoz

Cisco calls it a private vlan.. Other makers of switches might call it something else. But as Derelict stated this is a function of your layer 2 device, not your router that has zero to do with devices on the same network talking to each other.

https://en.wikipedia.org/wiki/Private_VLAN

Why can you not put devices you don't want talking to each other in their different vlans?

Zilog

Thanks for answer.

A) Dereclit, the function is direct with firewall, for example in the zyxel there is the "Menu Layer 2 isolation" with option that permit to select the device are isolate or not.
The function is direct firewall.

B)Johnpoz, vlan is not correct for this scenario, i don't create one vlan for each pc, specialy if pc is in high number.

The question is if the pfsense support this feactare or not.

Thanks for all.

johnpoz

Not sure what you think your zyxel was doing but it's NOT possible for it to stop devices on the same layer 2 from talking to each other.. you might be able to do that with its "switch" ports.. But there is NO way for it to stop devices connected to a downstream switch from talking to each other...

So your talking about using a zyxel "switch" along with its USG or something... That is controlled at the switch!! not the router.. So you were using a whole zyxel environment - they make switches and AP... So you had layer 2 devices from them..

AP and switches would be your layer 2 device, if you control them on zyxel then you could do such a thing, but pfsense is only a router, at Layer 3.. Maybe at some point netgate will come out with layer 2 devices for a whole environment sort of setup, but currently that is not the case. So you would have to do that sort of setup on your AP and or switches..

Zilog

Hi johnpoz,
it possibile with all layer 2 swtich, funtion too with Zyxel Firewall and Tplink swtich layer2 for example.

Pfsense is a firewall/router, work with vlan (so supper layer2).

The question is the Pfsense support "Layer2 Isolation" or not, if not is in program to develop it?

Thanks a lot.

johnpoz

No dude - it won't work without a smart/managed switch that has this feature... The switch has to support it! Pfsense is a L3 router/firewall - it doesn't do anything to control any switch..

I highly doubt its on any sort of roadmap.. Since it would not be possible to implement control of some 3rd party switch, that could be almost anything..

You set it on your L2 device..

Example - if I wanted private vlans I would set them up here on my SWITCH!!! pfsense doesn't need to know or care about it.. There is zero reason for any such support on a L3 firewall.

kiokoman

you need to understand that stuff like zyxel and tplink are 2 device in one router/firewall + internal switch, they are therefore able to put that option in their devices
pfsense is only a router/firewall and it does not have a managed layer 2 switch inside, ... you said before "Menu Layer 2 isolation"
so it's not something that they can implement with ony an update of the software, the right physical layer 2 switch is also needed

johnpoz

zyxel and tplink also make switches... So they are more likely to have a central control method that can control their switches.. Can promise you if I used switch brand X with zyxel for example it sure wouldn't be able to setup the private lan on some 3rd party branded switch..

Unifi for example has their central control that works when your whole environment is their hardware - so that in the control software you could setup say private vlans..

If netgate at some point in the future got into making netgate branded switches and AP... Then sure you most likely would be able to control such a setting in pfsense or whatever control software they used to manage the complete environment..

But currently that is not the case, pfsense is a L3 firewall/router and does not or have any method of controlling the L2 devices you might have.

Zilog

Hi Johnpoz.
in the switch (layer 2) i don't configure nothing (function with default configuration switch, not central control or smart control) and it works properly.

If pfsense don't support this option not problem.

It not possible utilize pfsense for this feacture.

By.

johnpoz

Dude - I don't know what you think is happening or not happening... But sorry you can not stop a devices from talking to each other on the same network without doing it at the L2 device... just not possible.

Unless your router was arp poisoning every single IP pointing only to its OWN mac, etc.. which would just be nuts..

On a device, look in your arp table... What do you see for the other IPs in your network.

Example

$ arp -a

Interface: 192.168.9.100 --- 0xb
  Internet Address      Physical Address      Type
  192.168.9.10          00-11-32-7b-29-7d     dynamic
  192.168.9.11          00-11-32-7b-29-7e     dynamic
  192.168.9.99          70-6e-6d-f3-11-93     dynamic
  192.168.9.253         00-08-a2-0c-e6-24     dynamic
  192.168.9.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  239.255.255.250       01-00-5e-7f-ff-fa     static

So when this device, 192.168.9.100 wants to talk to 192.168.9.10 for example.. Has zero use for the router, doesn't send the traffic to the router.. The router could be off.. And can still talk to 9.10

Other option could be that your dhcp server on the device only hands out /32 masks.. To think the device is only network of 1 IP... But this doesn't not actually prevent communication - its a stupid trick... Its not actually isolating anything... Client could just change their mask, or setup a static arp, etc. etc.. Its not actual security by any means.. But you could do such a stupid trick via the dhcp server, not sure if pfsense allows for altering what mask gets handed out... But just run some other dhcp server that allows such stupid non-security tricks.

What is the mask on your devices? Do an ipconfig on your machine.

$ ipconfig
Windows IP Configuration
Ethernet adapter Local:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.9.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.9.253

Whats the mask??

BTW - if pfsense did allow this in the gui, I would be disappointed to say the least.. Since its NONSENSE, its not actual security.. Which is what pfsense is about.. Not stupid user tricks to think something is more secure than it is..

To actually secure devices from talking to each other that are on the same L2 network, you have to control the traffic at the L2 device that passes the traffic.. Any sort of tricks to get the client to think its in a smaller network than the actual L2 is, is nothing but smoke and mirrors and not valid security.

Derelict

@Zilog When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly. The firewall (the pfSense node) is not involved at all. You could turn the firewall off and those hosts could still communicate with each other.

As has been said several times, preventing such communication is a function of the Layer 2 device (the switching layer such as a switch or a wireless access point) not the Layer 3 device (the router/firewall).

This is not unique to pfSense. It is how IP on broadcast networks works.

JKnott

@Zilog said in Layer 2 Isolation with same class network (Not Vlan):

The question is the Pfsense support "Layer2 Isolation" or not, if not is in program to develop it?

Again, you're mixing layers. IP is layer 3 only. That said, there is some gear that supports both layer 2 and 3. For example, I have worked with Adtran gear that's a router and a managed switch in the same box. That's the only way you're going to get L2 & 3 in the same box. As for private LANs, that often happens with access points, where devices are not allowed to communicate directly. I also have a managed TP-Link switch that has something called port based VLAN, where I can put individual ports onto VLANs that other ports can't reach.

Tillebeck

I do what what you are asking every day. And as stated by others it need to handled by the switch, not the pfsense router.

pfsense creates your LAN and "send" the LAN to a switch or access point and your client will join the LAN through this switch or access point.

As default on you LAN all clients can see each other and you want to isolate then so they cannot see each other.

It is quite easy. But it is not done in pfsense. It is done in your switch. You log into your switch (need to be managed to do this) either using a gui or cli depending on model. The command depends on the model and age of that model. Old HP will be "filter source-port..." and newer HP/Aruba would be protected port. On ubiquiti it can be done in gui as protected port. Basically you tell your switch the ports that the other ports can communicate with. If port 24 is uplink to router/pfsense and all ports are protected except port 24 than all ports can send data to port 24 only and not to each other.

Again, isolation without vlans is done in the switch. Not in pfsense/router.

chpalmer

@Derelict said in Layer 2 Isolation with same class network (Not Vlan):

When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly

And this is so easy to prove. OP- turn off your router completely removing it from the equation and notice that your devices in the same subnet still happily communicate with each other. (caveat- as long as your router does not also house the "switch".)

Derelict

@chpalmer said in Layer 2 Isolation with same class network (Not Vlan):

(caveat- as long as your router does not also house the "switch".)

And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.

chpalmer

@Derelict said in Layer 2 Isolation with same class network (Not Vlan):

@chpalmer said in Layer 2 Isolation with same class network (Not Vlan):

(caveat- as long as your router does not also house the "switch".)

And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.

Oops.. very true.