Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Isolate Each device on network

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 509 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      manada
      last edited by

      Hello Everyone,

      I'm looking for way to block sniffing on network so I was looking for some idea like to give each IP VLAN to avoid scan network or kick out any device from network if he didn't login.

      or another idea I don't know if it can be done like give different IP subnet for added MACs on captive portal!!!!!

      Thanks in advance

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @manada
        last edited by

        @manada While sure you could put ever device into their own vlan..

        Really what your asking has anything to do with pfsense. Sure if you have lots of vlans they could be routed through pfsense.

        But devices sniffing traffic on their own network has nothing to do with pfsense, and pfsense has zero way to stop that.

        Look for private vlans and wifi via client or ap or L2 isolation is different names given.

        Keep in mind you understand sniffing on any switch, the sniffer isn't going to see traffic between client A and B.. They will see traffic sent to mac of the sniffer, be this unicast or they will see multicast and broadcast traffic. This isn't the days of the hub were you could see all traffic..

        For someone to actually sniff traffic on a switch, they really need access to the switch to create a span port, or they in someway need to exploit the switch to be able to see really anything other than multicast or broadcast traffic, or their own traffic.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        GPinzoneG 1 Reply Last reply Reply Quote 0
        • GPinzoneG
          GPinzone @johnpoz
          last edited by

          @johnpoz What he's describing can be done by putting devices on a guest network using an inexpensive router. It's not unreasonable to think pfSense could do something that a cheap router with poor support can also do.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @GPinzone
            last edited by johnpoz

            @gpinzone again you can for sure put devices on their own vlan. My point is pfsense has zero control over devices on the same network talking to each other.

            If you put them on different vlans - then yes pfsense controls the traffic between those vlans.

            How do you think "guest" network works on a soho router - its a different vlan..

            if his goal is stopping devices from sniffing traffic on their own vlan - pfsense has no control over that. That would be done on your switching and or wireless infrastructure with L2 isolation.

            But again - sniffing on a switch does not show you all traffic anyway. It would just be multicast or broadcast traffic, or traffic to and from the device doing the sniffing. You wouldn't see unicast traffic from A to B, if your on device C. Unless something has been done on the switch to send traffic from other ports to C mac. Or out the port its connected to. This would require config of the switch for span or mirrored port, or something has gone wrong with the switch via an error or an exploit.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.