Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Layer 2 Isolation with same class network (Not Vlan)

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    17 Posts 7 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zilog
      last edited by

      Hi to all,
      i have two client in the same class of network 192.168.1.0/24
      _PFsense 192.168.1.1
      _Swtich Layer 2
      _Client A 192.168.1.10
      _Client B 192.168.1.11

      The client must be in the alway network , not vlan.
      It possibile active layer 2 isolation in such a way that client 1 not see client 2 and the other way around.

      Thanka a lot for all support.
      By

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That will be a function of your Layer 2 device, not your router (layer 3 device).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          Cisco calls it a private vlan.. Other makers of switches might call it something else. But as Derelict stated this is a function of your layer 2 device, not your router that has zero to do with devices on the same network talking to each other.

          https://en.wikipedia.org/wiki/Private_VLAN

          Why can you not put devices you don't want talking to each other in their different vlans?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • Z
            Zilog
            last edited by Zilog

            Thanks for answer.

            A) Dereclit, the function is direct with firewall, for example in the zyxel there is the "Menu Layer 2 isolation" with option that permit to select the device are isolate or not.
            The function is direct firewall.

            B)Johnpoz, vlan is not correct for this scenario, i don't create one vlan for each pc, specialy if pc is in high number.

            The question is if the pfsense support this feactare or not.

            Thanks for all.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Not sure what you think your zyxel was doing but it's NOT possible for it to stop devices on the same layer 2 from talking to each other.. you might be able to do that with its "switch" ports.. But there is NO way for it to stop devices connected to a downstream switch from talking to each other...

              So your talking about using a zyxel "switch" along with its USG or something... That is controlled at the switch!! not the router.. So you were using a whole zyxel environment - they make switches and AP... So you had layer 2 devices from them..

              AP and switches would be your layer 2 device, if you control them on zyxel then you could do such a thing, but pfsense is only a router, at Layer 3.. Maybe at some point netgate will come out with layer 2 devices for a whole environment sort of setup, but currently that is not the case. So you would have to do that sort of setup on your AP and or switches..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • Z
                Zilog
                last edited by

                Hi johnpoz,
                it possibile with all layer 2 swtich, funtion too with Zyxel Firewall and Tplink swtich layer2 for example.

                Pfsense is a firewall/router, work with vlan (so supper layer2).

                The question is the Pfsense support "Layer2 Isolation" or not, if not is in program to develop it?

                Thanks a lot.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  No dude - it won't work without a smart/managed switch that has this feature... The switch has to support it! Pfsense is a L3 router/firewall - it doesn't do anything to control any switch..

                  I highly doubt its on any sort of roadmap.. Since it would not be possible to implement control of some 3rd party switch, that could be almost anything..

                  You set it on your L2 device..

                  Example - if I wanted private vlans I would set them up here on my SWITCH!!! pfsense doesn't need to know or care about it.. There is zero reason for any such support on a L3 firewall.

                  switch.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    you need to understand that stuff like zyxel and tplink are 2 device in one router/firewall + internal switch, they are therefore able to put that option in their devices
                    pfsense is only a router/firewall and it does not have a managed layer 2 switch inside, ... you said before "Menu Layer 2 isolation"
                    so it's not something that they can implement with ony an update of the software, the right physical layer 2 switch is also needed

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      zyxel and tplink also make switches... So they are more likely to have a central control method that can control their switches.. Can promise you if I used switch brand X with zyxel for example it sure wouldn't be able to setup the private lan on some 3rd party branded switch..

                      Unifi for example has their central control that works when your whole environment is their hardware - so that in the control software you could setup say private vlans..

                      If netgate at some point in the future got into making netgate branded switches and AP... Then sure you most likely would be able to control such a setting in pfsense or whatever control software they used to manage the complete environment..

                      But currently that is not the case, pfsense is a L3 firewall/router and does not or have any method of controlling the L2 devices you might have.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • Z
                        Zilog
                        last edited by Zilog

                        Hi Johnpoz.
                        in the switch (layer 2) i don't configure nothing (function with default configuration switch, not central control or smart control) and it works properly.

                        If pfsense don't support this option not problem.

                        It not possible utilize pfsense for this feacture.

                        By.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Dude - I don't know what you think is happening or not happening... But sorry you can not stop a devices from talking to each other on the same network without doing it at the L2 device... just not possible.

                          Unless your router was arp poisoning every single IP pointing only to its OWN mac, etc.. which would just be nuts..

                          On a device, look in your arp table... What do you see for the other IPs in your network.

                          Example

                          $ arp -a
                          
                          Interface: 192.168.9.100 --- 0xb
                            Internet Address      Physical Address      Type
                            192.168.9.10          00-11-32-7b-29-7d     dynamic
                            192.168.9.11          00-11-32-7b-29-7e     dynamic
                            192.168.9.99          70-6e-6d-f3-11-93     dynamic
                            192.168.9.253         00-08-a2-0c-e6-24     dynamic
                            192.168.9.255         ff-ff-ff-ff-ff-ff     static
                            224.0.0.22            01-00-5e-00-00-16     static
                            239.255.255.250       01-00-5e-7f-ff-fa     static
                          

                          So when this device, 192.168.9.100 wants to talk to 192.168.9.10 for example.. Has zero use for the router, doesn't send the traffic to the router.. The router could be off.. And can still talk to 9.10

                          Other option could be that your dhcp server on the device only hands out /32 masks.. To think the device is only network of 1 IP... But this doesn't not actually prevent communication - its a stupid trick... Its not actually isolating anything... Client could just change their mask, or setup a static arp, etc. etc.. Its not actual security by any means.. But you could do such a stupid trick via the dhcp server, not sure if pfsense allows for altering what mask gets handed out... But just run some other dhcp server that allows such stupid non-security tricks.

                          What is the mask on your devices? Do an ipconfig on your machine.

                          $ ipconfig
                          Windows IP Configuration
                          Ethernet adapter Local:
                             Connection-specific DNS Suffix  . :
                             IPv4 Address. . . . . . . . . . . : 192.168.9.100
                             Subnet Mask . . . . . . . . . . . : 255.255.255.0
                             Default Gateway . . . . . . . . . : 192.168.9.253
                          

                          Whats the mask??

                          BTW - if pfsense did allow this in the gui, I would be disappointed to say the least.. Since its NONSENSE, its not actual security.. Which is what pfsense is about.. Not stupid user tricks to think something is more secure than it is..

                          To actually secure devices from talking to each other that are on the same L2 network, you have to control the traffic at the L2 device that passes the traffic.. Any sort of tricks to get the client to think its in a smaller network than the actual L2 is, is nothing but smoke and mirrors and not valid security.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by Derelict

                            @Zilog When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly. The firewall (the pfSense node) is not involved at all. You could turn the firewall off and those hosts could still communicate with each other.

                            As has been said several times, preventing such communication is a function of the Layer 2 device (the switching layer such as a switch or a wireless access point) not the Layer 3 device (the router/firewall).

                            This is not unique to pfSense. It is how IP on broadcast networks works.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            chpalmerC 1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott @Zilog
                              last edited by

                              @Zilog said in Layer 2 Isolation with same class network (Not Vlan):

                              The question is the Pfsense support "Layer2 Isolation" or not, if not is in program to develop it?

                              Again, you're mixing layers. IP is layer 3 only. That said, there is some gear that supports both layer 2 and 3. For example, I have worked with Adtran gear that's a router and a managed switch in the same box. That's the only way you're going to get L2 & 3 in the same box. As for private LANs, that often happens with access points, where devices are not allowed to communicate directly. I also have a managed TP-Link switch that has something called port based VLAN, where I can put individual ports onto VLANs that other ports can't reach.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • T
                                Tillebeck
                                last edited by

                                I do what what you are asking every day. And as stated by others it need to handled by the switch, not the pfsense router.

                                pfsense creates your LAN and "send" the LAN to a switch or access point and your client will join the LAN through this switch or access point.

                                As default on you LAN all clients can see each other and you want to isolate then so they cannot see each other.

                                It is quite easy. But it is not done in pfsense. It is done in your switch. You log into your switch (need to be managed to do this) either using a gui or cli depending on model. The command depends on the model and age of that model. Old HP will be "filter source-port..." and newer HP/Aruba would be protected port. On ubiquiti it can be done in gui as protected port. Basically you tell your switch the ports that the other ports can communicate with. If port 24 is uplink to router/pfsense and all ports are protected except port 24 than all ports can send data to port 24 only and not to each other.

                                Again, isolation without vlans is done in the switch. Not in pfsense/router.

                                1 Reply Last reply Reply Quote 0
                                • chpalmerC
                                  chpalmer @Derelict
                                  last edited by

                                  @Derelict said in Layer 2 Isolation with same class network (Not Vlan):

                                  When two hosts on the same subnet communicate, the traffic is not sent to a router at all. They ARP for each other and communicate directly

                                  And this is so easy to prove. OP- turn off your router completely removing it from the equation and notice that your devices in the same subnet still happily communicate with each other. (caveat- as long as your router does not also house the "switch".)

                                  Triggering snowflakes one by one..
                                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    @chpalmer said in Layer 2 Isolation with same class network (Not Vlan):

                                    (caveat- as long as your router does not also house the "switch".)

                                    And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    chpalmerC 1 Reply Last reply Reply Quote 0
                                    • chpalmerC
                                      chpalmer @Derelict
                                      last edited by

                                      @Derelict said in Layer 2 Isolation with same class network (Not Vlan):

                                      @chpalmer said in Layer 2 Isolation with same class network (Not Vlan):

                                      (caveat- as long as your router does not also house the "switch".)

                                      And don't mistake things like inability to resolve DNS or obtain DHCP as their inability to directly communicate.

                                      Oops.. very true.

                                      Triggering snowflakes one by one..
                                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.