Can you block LAN to LAN traffic?



  • I was wondering is it possible to block lets say 10.1.1.1 from accessing 10.1.1.2 through PFSense 2.0?  I would like to limit only allowed port traffic that is needed.



  • That is not possible LAN to LAN traffic will never get to the firewall.



  • If you bridge multiple interfaces, you can put the 'bad' guys on one interface and then create Firewall rules in pfsense



  • @podilarius:

    That is not possible LAN to LAN traffic will never get to the firewall.

    Thats what I thought.  Thanks for the reply.



  • @RonpfS:

    If you bridge multiple interfaces, you can put the 'bad' guys on one interface and then create Firewall rules in pfsense

    Only if you know the "bad" ones and if the become good you have to move them. So you constintently are having to move cables around. Not to feasible.  It is possible to do this though.



  • You could probably put a 255.255.255.255 subnet mask on the pc that should not be able to access other pc's on the network, but this will not let the pc even see any broadcasts on your network and won't be able to access any servers on the lan.

    Problem is you will probably still need to manually set this mask on each pc to be isolated, and try it on one machine before doing it to users.

    Also this will mean any queries for the lan are sent from the pc to your router - haven't tried this, so I'm not certain if the router would just forward everything to the relevant pcs on the lan.



  • @podilarius:

    @RonpfS:

    If you bridge multiple interfaces, you can put the 'bad' guys on one interface and then create Firewall rules in pfsense

    Only if you know the "bad" ones and if the become good you have to move them. So you constintently are having to move cables around. Not to feasible.  It is possible to do this though.

    With a VLAN you just change the switch configuration. Create 2 VLAN for a basic "protected" and "access" networks, or go as far as putting each port on its own VLAN.



  • You could even go so far as using the builtin firewall that comes standard on most modern OSes to block everything except outbound traffic. If you are using Windows in a domain, you can even set a domain group policy to block all incoming traffic and allow only outbound.

    So many options!



  • Thanks everyone!  Yes I didn't think you could actually block LAN traffic unless using the OS firewall.  However we are going through PCI Compliance and this is one of the questions that came up.



  • It is possible to attain this type of blocking, just not at the (layer 3) router/firewall level.  It is accomplished in (layer 2) switches or AP's at the access layer. In AP's it is typically called client isolation, where as in switches it will typically be called port isolation.


  • LAYER 8 Global Moderator

    Yeah you can do what your wanting at the switch level.  Just need a managed or smart switch that provides that functionality.

    Now you can filter using traffic between different lans using pfsense, if your pfsense handles the routing between the multiple lan segments.  Or I do believe even if the pfsense bridges the 2 different physical networks, even if they are using the same ip ranges.  but you would not be able to block traffic between devices on the same physical network.


Log in to reply