Controlling traffic within same interface
-
Sorry if this has been asked before, but I was unsuccessful in finding anything in searching the forum, though I'm not entirely sure what I should be searching for anyway.
I have several computers hooked into a small switch (Linksys EZXS55W) which is connected to the LAN interface on my pfSense machine. Firewall rules between LAN and any other interface work fine (ex: My wireless interface and LAN), but it's not controlling traffic within the LAN.
Ideally, I'd like it so that my computers on the LAN interface can access the internet, but have limited access to each other. I'd also like to control traffic from my computers to the pfSense machine itself (to block HTTPS access to all other machines but this one), but that does not seem to be controlled either.
When I do a tracert from one system on my LAN to another I get just one single hop, straight to that machine. Is there some way I can route all the traffic through the pfSense machine first? Thanks in advance for any help.
-
In short: no. The idea of a LAN is that each machine can communicate directly with any other on the local network, without contacting a router. pfSense can't even see that local traffic (because you have a switch), let alone control it. There are some messy workarounds to this, but it's not worth the effort or confusion.
The solution is that you need to create a separate LAN for each PC. To do this reasonably, you need to either have a separate interface for each PC, or use a VLAN-capable switch to accomplish the segregation. Then all traffic must flow through pfSense to reach the other LANs and you will have full control.
You should, however, be able to control access to the pfSense WebUI or any other service running on pfSense, however you need to disable the 'anti lockout' rule in Advanced Settings.