What options are available for LAN isolation with tcp/ip based exceptions? Do any of them allow for common subnet?

bobleny · Feb 16, 2021, 4:00 AM

I have several devices on my LAN, and I would like all of the devices to be isolated from each other, with certain configurable exceptions.
I know this is an incredibly uncommon request. /s

The basic idea of course is to permit only certain devices to establish a connections with certain other devices over certain ports.
Examples of this would be to allow only DeviceA to establish a connection with DeviceB over tcp port 22.
Or to allow DeviceA and DeviceC to connect to DeviceB over tcp port 80.
Or to allow any device to connect to DeviceC over tcp port 443.

The only way I know to do this is to put each device on its own interface. From there, setting up the firewall rules is fairly strait forward. However, as near as I can tell, each interface must have it's own subnet.

So, is there a way to achieve this level of control with the same subnet?
Is this the preferred method of handling this on a simple network?
What are some of the other options for doing this, assuming there are any?

Gertjan · Feb 16, 2021, 6:51 AM

Do you remember this instant :
You open up the box containing your new Windows 7/8/10 computer.
You fire it up, enter your name, password, and connect it to you own local network.
Windows ask you a question :
Is this a public, non trusted, network ?
Or
Is this a private, trusted, or company network ?

If you select Public, the local Windows firewall will not accepts neither use local network IP's, except the local DNS and gateway, so it can use the Internet.

By now, you'll understand : your question has nothing to do with the firewall rules on the local gateway, pfSense.
What you want, is enforced on every local network device. The switch(es) you use to interconnect all these devices connects them all together : traffic from device A to B will never pass by - enter or leave - pfSense, the gateway.

keyser · Feb 16, 2021, 8:30 AM

@bobleny There are four feasible ways to achieve what you are looking for:

1: Place each unit in it’s own subnet and on it’s own interface (VLAN) on pfSense, and filter using pfSense Firewall rules.
Not a very scalable solution, and very time consuming. A lot of “easy use” features based bonjour/mDNS stops working unless you start proxying that specifically.

2: Bridge A LOT of interfaces in pfSense, and place each unit on it’s own pfSense interface - but within the same subnet. Like above, not a scalable solution and there will be a performance cost.

3: Get a properly managed switch that can ACL filter traffic at the interface level. This leaves all units in the same subnet, and scales fairly well because a well written accesslist can apply to multiple/all interfaces.

4: Like suggested earlier - do the filtering at the device firewall level for all devices that has a builtin firewall. For those that do not - look to solutions 1 -> 3 above.

So there is no easy fix for your request, but option 3 is by far the “best” - but also most costly - solution.

stephenw10 · Feb 16, 2021, 5:32 PM

Yup, no easy way to do this. How many devices are you talking about?

JKnott · Feb 16, 2021, 5:34 PM

@bobleny

How much isolation do you need? Some managed switches can be configured so that devices on different ports can't communicate with each other.

bobleny · Feb 17, 2021, 6:05 AM

@gertjan Thank you for the suggestion. That is currently how the isolation is setup, though with iptables (no windows here).

@keyser #1 This is what I was originally intending on doing, in fact I currently have everything setup this way with the default allow all firewall rules.
#2 This is interesting. I was under the impression that bridged interfaces behaved like a "dumb" switch in that all devices on the bridged network were unfilterable and free to communicate with each other. I will do more research on this as I know little (apparently nothing), about bridged interfaces.
#3 I will see what options are available to me. I know managed switches can get pricey pretty quickly.

@stephenw10 Currently about 7, only 3 are wired at the moment. I have about another 7 devices planned, but most of those will hopefully be on their own isolated network, and will mostly be hands off. In any event, not enough to worry too much about the best solution.

@JKnott Any device on my network, that gives me access to its firewall, at minimum has its inbound traffic to only accept established connections. On my servers, which have well established network requirements, and untrusted devices, I also block all outbound traffic with required exceptions (e.g. such as dns and ntp ports, and the current ip blocks for os/package updates). So in general, as much as is feasible. However, as several of the devices on my network are not easily accessible, I use SSH to manage them. Also, several of the devices serve up websites or information to other devices on the network, so complete isolation just isn't an option.

There are issues/challenges with my current network setup, but in general, I am trying to understand my options and their limitations.

stephenw10 · Feb 17, 2021, 1:23 PM

Ok 7 devices is sufficently few that you could conceivably add NICs and bridge them if you really wanted them all in the same subnet but still with filtering between them.
I would still question if that is necessary though.

Steve