Isolate Each device on network
-
Hello Everyone,
I'm looking for way to block sniffing on network so I was looking for some idea like to give each IP VLAN to avoid scan network or kick out any device from network if he didn't login.
or another idea I don't know if it can be done like give different IP subnet for added MACs on captive portal!!!!!
Thanks in advance
-
@manada While sure you could put ever device into their own vlan..
Really what your asking has anything to do with pfsense. Sure if you have lots of vlans they could be routed through pfsense.
But devices sniffing traffic on their own network has nothing to do with pfsense, and pfsense has zero way to stop that.
Look for private vlans and wifi via client or ap or L2 isolation is different names given.
Keep in mind you understand sniffing on any switch, the sniffer isn't going to see traffic between client A and B.. They will see traffic sent to mac of the sniffer, be this unicast or they will see multicast and broadcast traffic. This isn't the days of the hub were you could see all traffic..
For someone to actually sniff traffic on a switch, they really need access to the switch to create a span port, or they in someway need to exploit the switch to be able to see really anything other than multicast or broadcast traffic, or their own traffic.
-
@johnpoz What he's describing can be done by putting devices on a guest network using an inexpensive router. It's not unreasonable to think pfSense could do something that a cheap router with poor support can also do.
-
@gpinzone again you can for sure put devices on their own vlan. My point is pfsense has zero control over devices on the same network talking to each other.
If you put them on different vlans - then yes pfsense controls the traffic between those vlans.
How do you think "guest" network works on a soho router - its a different vlan..
if his goal is stopping devices from sniffing traffic on their own vlan - pfsense has no control over that. That would be done on your switching and or wireless infrastructure with L2 isolation.
But again - sniffing on a switch does not show you all traffic anyway. It would just be multicast or broadcast traffic, or traffic to and from the device doing the sniffing. You wouldn't see unicast traffic from A to B, if your on device C. Unless something has been done on the switch to send traffic from other ports to C mac. Or out the port its connected to. This would require config of the switch for span or mirrored port, or something has gone wrong with the switch via an error or an exploit.
