Access only one PC from another subnet

tiagowippel · Jan 22, 2021, 1:14 PM

Hi guys,

In my config i have 2 separated subnets (A: 192.168.62.0/24 and B: 192.168.65.0/24)

I want to access only one IP of subnet B (192.168.65.11 for example) from any PC of subnet A

How can I do that ? PFSENSE IP is 192.168.62.1

Thanks

johnpoz · Jan 22, 2021, 1:14 PM

On subnet A interface create an allow rule to that IP, then below that create a block list to subnet B..

Below that would be your any any rule to the internet.

Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

tiagowippel · Jan 22, 2021, 1:35 PM

@johnpoz I am afraid that I forgot to mention that the 2 subnets are on the same LAN, I have only one interface.

johnpoz · Jan 22, 2021, 1:45 PM

Well that is borked.. You don't run multiple L3 on the same L2..

If you only have 1 physical interface, then your 2nd network would be a vlan. So that they are actually isolated from each other. Do you have a vlan capable switch, AP? etc..

While you could bounce traffic off pfsense via a VIP for the other network.. If the devices no matter what their IPs are on the same L2 network. There is nothing stopping them from talking to each other if they wanted too.

If you want to isolate devices from each other, they need to be on different L2 (layer 2) networks. This is either done completely physical or with vlans.

tiagowippel · Jan 22, 2021, 2:15 PM

@johnpoz understood, thanks for the help.

johnpoz · Jan 22, 2021, 3:15 PM

If you need help setting that up - just ask..

But if your goal is isolation - which I assume it is because your asking how to only allow 1 IP, and block others. Then you really need to create two different L2 networks (vlans or completely different physical networks - 2 interfaces on pfsense with 2 different dumb switches).

Another option would be to just put them all on the same L2 (same L3 as well), but make it a private vlan... And then you can let X talk to Y, and A talk to D, but block Z from talking to A, etc. Via setting on your switch that support private vlans. But you need a switch that supports that.

Simple solution to keeping A from talking to B, is put them on different actually isolated networks. And then filtering whatever traffic you want to allow/block on pfsense.