Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    if...then filtering/blocking

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 5 Posters 668 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Klaus2314
      last edited by Klaus2314

      Hi,

      I was wondering if there's a way to block clients in one network that are connected to two different VLANs at the same time.

      Example: On OSX you can setup virtual interfaces on the same physical network interface to connect to another (tagged) VLAN on a trunk at the same time. Essentially creating a bridge between the two network in terms of where data can be sent.

      Let's say one of the networks can go out to the internet and the other is an internal production LAN with file servers.

      I want to prevent a machine being connected to a file-server AND while being able to reach the internet to avoid easy exfiltration of data from the file server directly to the internet.

      So is there a trick that would allow the machine to connect to the internet (for a software update) OR the internal LAN but not not both at the same time. Just to avoid straight upload from a file server to the internet via that connected machine?
      Like blocking the VLAN that can reach the internet if the machine shows up on the internal LAN at the same time? Or block the internal LAN when it's on the internet?

      Is that too much to ask for a firewall and I need some kind of advanced managed end point security system?

      Maybe I can't see the forest because of all the trees.

      Thanks!

      JKnottJ 1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        Just don't allow tagged packets on access ports?
        You are creating a non existent problem....

        1 Reply Last reply Reply Quote 0
        • K
          Klaus2314
          last edited by Klaus2314

          Yeah, I hear you. Problem is that sometimes these machines need to connect to the internet but the users forget to deactivate the virtual interface. I just want to create a minimal "annoyance" that reminds users that they should not be in both networks at the same time.

          Would be less work than constantly deactivating/activating individual allow/block rules from my end every time someone want's to upload something legit and then not tag both networks.

          I'm aware this won't stop the "evil house maid" but at least I wouldn't have to remind users to turn off internet VLAN when they don't absolutely have to be online constantly "policing" the DHCP leases.

          Thanks!

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Klaus2314
            last edited by

            @Klaus2314
            The traffic has to pass the firewall, otherwise you haven't any control over it.

            So the only way I can think of, is to provide two different VLANs to the users and allow only these.
            If the user is on VLAN1 he can access the internet.
            If he is on VLAN2 he can only access internal hosts.

            1 Reply Last reply Reply Quote 0
            • K
              Klaus2314
              last edited by Klaus2314

              Yeah that's exactly what they are getting. Thing is: On OSX you can simply add a virtual interface to your physical network port and access VLAN 1 and VLAN2 at the same time.

              So the FW sees all that traffic but can I block one of them but only when both are active and only then. Just not always.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                Ahh, both VLANs concurrently? That might be a problem...

                K 1 Reply Last reply Reply Quote 0
                • K
                  Klaus2314 @viragomann
                  last edited by

                  Yes, I do remember working out of a facility that had some kind of trick that would block internet access as soon as you had a file server mounted to your machine.

                  My example is just for two wired VLANs but another scenario could be a user that has a SMB share mounted and turns on WIFI at the same time.

                  So generally I wondered if there's a technology that simply drops internet access for a client as soon as he's connected to a LAN that's not supposed to get to the internet. Maybe a FW is not made for that?

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @Klaus2314
                    last edited by

                    @Klaus2314

                    If a device has been set up for both networks, then it can pass traffic between them, completely independent of pfsense. For example, I run Linux and it's very easy to set it up to route between networks. In fact, my first couple of firewalls were Linux configured as routers. It's exactly the same thing with FreeBSD, which pfsense is built on. If you read a bit of the history, you'll find the Internet was essentially built on *nix, including routers.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • A
                      akuma1x
                      last edited by

                      I think you can do this with a couple of operating system tricks. You said Mac OSX, so here's how I think it could work. I apologize, I have never tried this myself, but it seems like it should work. And I use mostly Mac OSX, and have seen this in the past.

                      So, there's a way, in the Network Preferences to setup multiple "Locations". I think you can setup one VLAN in one location, and setup the other VLAN in the other location. The user should then be able to switch back and forth. I don't know what that will do to any "active" file server connections during the switch, i believe they drop and disconnect. One VLAN can be active in one location, the other VLAN can be active in the other.

                      There's also a way to LOCK the network settings, so no changes can be made without an administrator password.

                      https://discussions.apple.com/thread/5523019

                      This might be a little too restrictive, so that's why I said it "should" work. Might get to be a pain in the a$$, if your users always have to contact you to get the admin password. You'd have to give it a try, see how good or bad it works. In my mind it works, I just can't figure out how seamless it would be, or easy-to-use.

                      Hope that helps.

                      1 Reply Last reply Reply Quote 0
                      • H
                        heper
                        last edited by

                        as i said , you do not allow multiple vlans on an accessport

                        if you want to prevent this clusterfuck then just use 2 seperate ports ....

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.