if...then filtering/blocking

  • Hi,

    I was wondering if there's a way to block clients in one network that are connected to two different VLANs at the same time.

    Example: On OSX you can setup virtual interfaces on the same physical network interface to connect to another (tagged) VLAN on a trunk at the same time. Essentially creating a bridge between the two network in terms of where data can be sent.

    Let's say one of the networks can go out to the internet and the other is an internal production LAN with file servers.

    I want to prevent a machine being connected to a file-server AND while being able to reach the internet to avoid easy exfiltration of data from the file server directly to the internet.

    So is there a trick that would allow the machine to connect to the internet (for a software update) OR the internal LAN but not not both at the same time. Just to avoid straight upload from a file server to the internet via that connected machine?
    Like blocking the VLAN that can reach the internet if the machine shows up on the internal LAN at the same time? Or block the internal LAN when it's on the internet?

    Is that too much to ask for a firewall and I need some kind of advanced managed end point security system?

    Maybe I can't see the forest because of all the trees.


  • Just don't allow tagged packets on access ports?
    You are creating a non existent problem....

  • Yeah, I hear you. Problem is that sometimes these machines need to connect to the internet but the users forget to deactivate the virtual interface. I just want to create a minimal "annoyance" that reminds users that they should not be in both networks at the same time.

    Would be less work than constantly deactivating/activating individual allow/block rules from my end every time someone want's to upload something legit and then not tag both networks.

    I'm aware this won't stop the "evil house maid" but at least I wouldn't have to remind users to turn off internet VLAN when they don't absolutely have to be online constantly "policing" the DHCP leases.


  • @Klaus2314
    The traffic has to pass the firewall, otherwise you haven't any control over it.

    So the only way I can think of, is to provide two different VLANs to the users and allow only these.
    If the user is on VLAN1 he can access the internet.
    If he is on VLAN2 he can only access internal hosts.

  • Yeah that's exactly what they are getting. Thing is: On OSX you can simply add a virtual interface to your physical network port and access VLAN 1 and VLAN2 at the same time.

    So the FW sees all that traffic but can I block one of them but only when both are active and only then. Just not always.

  • Ahh, both VLANs concurrently? That might be a problem...

  • Yes, I do remember working out of a facility that had some kind of trick that would block internet access as soon as you had a file server mounted to your machine.

    My example is just for two wired VLANs but another scenario could be a user that has a SMB share mounted and turns on WIFI at the same time.

    So generally I wondered if there's a technology that simply drops internet access for a client as soon as he's connected to a LAN that's not supposed to get to the internet. Maybe a FW is not made for that?

  • @Klaus2314

    If a device has been set up for both networks, then it can pass traffic between them, completely independent of pfsense. For example, I run Linux and it's very easy to set it up to route between networks. In fact, my first couple of firewalls were Linux configured as routers. It's exactly the same thing with FreeBSD, which pfsense is built on. If you read a bit of the history, you'll find the Internet was essentially built on *nix, including routers.

  • I think you can do this with a couple of operating system tricks. You said Mac OSX, so here's how I think it could work. I apologize, I have never tried this myself, but it seems like it should work. And I use mostly Mac OSX, and have seen this in the past.

    So, there's a way, in the Network Preferences to setup multiple "Locations". I think you can setup one VLAN in one location, and setup the other VLAN in the other location. The user should then be able to switch back and forth. I don't know what that will do to any "active" file server connections during the switch, i believe they drop and disconnect. One VLAN can be active in one location, the other VLAN can be active in the other.

    There's also a way to LOCK the network settings, so no changes can be made without an administrator password.


    This might be a little too restrictive, so that's why I said it "should" work. Might get to be a pain in the a$$, if your users always have to contact you to get the admin password. You'd have to give it a try, see how good or bad it works. In my mind it works, I just can't figure out how seamless it would be, or easy-to-use.

    Hope that helps.

  • as i said , you do not allow multiple vlans on an accessport

    if you want to prevent this clusterfuck then just use 2 seperate ports ....

Log in to reply