Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions regarding Layer 2 firewalling

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 423 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deanfourie
      last edited by

      I'm curious.

      Lately i've seen firewalls blocking Layer 2 traffic. For example, installing a printer on the LAN and no other machines can reach the printer, ping or web, nothing.

      Creating a firewall entry in the firewall from zone LAN to zone LAN to client printer allows the rest of the network ICMP and web etc to the printer now.

      I thought firewalling only took place for traffic moving through the firewall at Layer 3.

      How is this possible over layer 2 to actually firewall this traffic.

      I would have thought any client attempting to reach another client over layer 2 would simply use ARP to determine its destination to the host, and not go via the firewall at all?

      Thanks

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @deanfourie
        last edited by johnpoz

        @deanfourie said in Questions regarding Layer 2 firewalling:

        How is this possible over layer 2 to actually firewall this traffic.

        No it is not possible for device A on a layer 2 to firewall traffic between devices B and C.. The only way that is possible is if the traffic flows across a bridge..

        You might be in theory to use arp spoofing where you flood the network with the wrong mac an IP pointing to the firewall mac or just a bogus one.. What "firewalls" have you seen this exactly?

        When device A lets say 192.168.1.100/24 wants to talk to device B 192.168.1.101/24 for example, ie arps and says hey who has the address 192.168.1.101, and the device would replay hey thats me on mac aa:bb:cc:00:00:01 for example.. Then device A would send its traffic to that mac..

        Now if you flood the network with arp say .101 is at bb:cc:dd:00:00:02 for example you could prevent anything on that network from talking to .101.. Now in theory if this bb:cc:dd mac was actually the firewall, it could I guess send the traffic on to .101 correct mac.. But that would be a nightmare to try and manage, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        D 1 Reply Last reply Reply Quote 0
        • D
          deanfourie @johnpoz
          last edited by

          @johnpoz oh, ok that explains it then.

          I put the ports in a bridge.

          Why does this change it if the ports are bridged? Bridges are layer 2 arent they?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @deanfourie
            last edited by

            @deanfourie traffic flows over the bridge,

            A --- bridge -- B

            You can not stop devices both on side A, or on B - but you can stop devices from A talking to B, and B talking to A.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              deanfourie
              last edited by

              Gotcha,

              Thank you!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.