Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help writing firewall rules (client separation)

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 200 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DL_UK
      last edited by

      Hi,

      Relative newby needing some help

      I have hooked up Netgear WIFI WAC720 in stand-alone mode to the Netgate. The Netgate is passing out client addresses for WIFI via its DHCP server on that interface to the Netgear WIFI. However, I was scratching my head as to why the client separation in the Netgear WIFI wasn't working, until I realsed that the clients must have visibility of each other in the Netgate as they can all see each others IPs at this point after the separation enforced by the WIFI. I therefore need to write a Firewall rule (or set of rules) that will effectivley block all the WIFI clients from seeing each other without blocking them from reaching the Netgear and Netgate port for internet access which is on the same IP address range. I had thought of using block-all on that ip range but then the clients would loose the Netgear WIFI point as a route of access to the internet as they would be restricted from communicating with it.

      The Netgate port is 10.0.4.1 and holds and issues a static IP of 10.0.4.2 for the Netgear WIFI point. The Netgate passes address leases from 10.0.4.10 upwards to cliects.

      Any help to write rules to deal with this please...

      1 Reply Last reply Reply Quote 0
      • H Offline
        HG
        last edited by

        If this is really happening on L3 and not on L2 somewhere, a rule that blocks all traffic from that interface to 10.0.4.10/24 should help, I believe. Should be placed before the "allow to *" rule you probably have for internet access. I think that's what you also thinking of, too?

        I do not share your concerns, because 1. everything that happens between your clients and the Netgate isn't affected by any firewall rule on the Netgate and 2. this doesn't disturb routing (you do not "access" the Netgate for this), because neither the Netgear nor the Netgate is the destination on IP level. I usually have a rule that just blocks traffic to all private network ranges (including the own range, because I don't whitelist it) on all interfaces of the Netgate and only allow specific traffic, e.g. DNS to the Netgate. Just make sure that you don't lock yourself out of the Netgate (allow HTTPS from your "management network", but usually there is the "Anti-Lockout Rule" that does that for you). ;)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.