Client isolation?
-
not 100% related to pfsense but i'm sure somebody on here will know.
my friend has a 50 bedroom hotel and wants to provided wired access to each room so client isolation comes into the equation.
easy with wireless but wired? first thought is to put every room on a seperate vlan but 50 vlans (1 per room?)
anybody come across this before? we are looking at 3 x 24 port zyxel managed switches to a pfsense firewall.regards,
louis -
Yes i have done that before.
We used it for a LAN party, so that everyone that comes the first time and isn't registered yet is in it's own VLAN.
Additionally he's blocked from the internet by the captive portal, but all the "big" antivirus pages were on the passthrough IP list. (To update anti-virus definitions).
After registration and check by a staff if his antivirus is up to date and a full-scan-log his port/MAC gets moved to the public VLAN.I dont think that you need anything from the pfSense for your scenario.
So just rules on the switch. -
There is also a feature on cisco switches called private VLANs and public VLANs.
All of the members of the private VLAN (clients) can only communicate with the machines on a public VLAN (pfsense).
It might be worth looking to see if the zyxel switches support it to avoid creating many separate VLANs. -
yeah i like the thought of that…...
a primary vlan with secondary vlans within that can only communicate with the primary vlan. just wondering if an ACL would work on the port eg only allow anything on the port to communicate with IP of gateway. -
It depends on if the switch has the capability to filter layer 3 traffic like that. I don't have experience with the Zyxel switches so I'm not sure if they are capable of that.
-
Quick question… as I am pretyt stupid when it comes to this, but...
so client isolation comes into the equation. easy with wireless
Can this be done with pfSense and wireless Access Points? If so, how? Or wherfe to search. I've Googled but really never found anything.
TIA!
John
-
johnjces:
Some access points have a feature you can enable to do that and pfSense also has a simple checkbox to do it when it acts as the access point (with a wireless network card supporting access point mode in FreeBSD). Any further discussion of this should probably go in a different thread.
