Client isolation

Guest · Apr 7, 2012, 4:52 PM

Is it possible to make "client isolation" (that no computer can talk to eachother but they can connect to internet) on pfSense, I want this on my wired network?

Thanks

mibovrd · Apr 7, 2012, 5:04 PM

Loads of ways.

Physical Electrical Isolation ;) Different interfaces.

VLAN's

PPPoE is usually the easiest I would think.

VLAN's with PPPoE?

Guest · Apr 7, 2012, 5:16 PM

Ok im just starting learning pfSense so where can I learn this?

I have heard of VLANs is it possible to set up pfSene to hand out sepearate VLANS
to each client connecting? I hope I dont need to set up a managed switch?

How will VLAN`s with PPPoE work/setup?

Thanks!

cmb · Apr 7, 2012, 8:04 PM

on a wired network that's dependent on your switch, the firewall can't prevent them from talking to each other. What options you have depends on what switch you have and has no relation to the firewall. PPPoE in and of itself doesn't prevent hosts from talking to each other on the same switch. You must have a managed switch to accomplish this.

wallabybob · Apr 7, 2012, 10:41 PM

@Bebopper:

is it possible to set up pfSene to hand out sepearate VLAN`S
to each client connecting?

No.

@Bebopper:

I hope I dont need to set up a managed switch?

Then you need a separate interface in pfSense for every computer you want isolated from the others.

mibovrd · Apr 8, 2012, 3:53 AM

VLAN's and PPPoE seem to be a touchy subject around here. I find very few answers on this board. I think you might have to pay for help.
I think the complexity that can occur may be the cause, and that the simple solutions are often the best. However I still think you should have got a better answer than you did.
You really do have to have a managed switch, and even then it has to be one that can support all things you may require.
VLAN Trunking and/or VLAN tagging. Even then you have to make sure hat the VLAN's can't route between each other.
This can be a simple mistake like adding an ip to the VLAN Trunk on a switch. This changes it's behaviour from Layer 2 to 3 and the switch will route to that VLAN from all others. If you have to put an IP there then you have to introduce acl's to block the traffic. This can be all undone with a multi homed computer or router that routes out side the switch.
Vlan tagging has it's problems too, if your switch doesn't support tagging then it will possibly strip the tag's, and all of your nic's have to support it too.
I'm not sure about the PPPoE server, not sure how many pfSense people use it, but you have to make sure All traffic from the PPPoE client (your servers) use only the PPPoE connetion, and again it has to go through a switch that will support it.

Sorry not much help.

Guest · Apr 8, 2012, 11:33 AM

Ok

In pfSense: The Definitive Guide will it be explained how to set up VLAN`s?

Maybe the thing for me is to use DD-WRT with wireless clients and use AP isolation mode, then I will get full client isolation?

Thanks again!

stephenw10 · Apr 8, 2012, 11:58 AM

@Bebopper:

In pfSense: The Definitive Guide will it be explained how to set up VLAN`s?

Yes.

@Bebopper:

Maybe the thing for me is to use DD-WRT with wireless clients and use AP isolation mode, then I will get full client isolation?

If you add a supported wireless card to pfSense you can do that directly.

Steve

cmb · Apr 8, 2012, 12:02 PM

@Bebopper:

In pfSense: The Definitive Guide will it be explained how to set up VLAN`s?

Yes, including the switch config on several different vendors' switches, and explanation of VLANs in general.

wallabybob · Apr 8, 2012, 12:13 PM

@Bebopper:

Maybe the thing for me is to use DD-WRT with wireless clients and use AP isolation mode, then I will get full client isolation?

Are you thinking of changing all your wired clients to wireless clients? If not, how will this help you get "full client isolation"?

pfSense wireless interfaces have an option: Allow intra-BSS communication described like this: When operating as an access point, enable this if you want to pass packets between wireless clients directly. Disabling the internal bridging is useful when traffic is to be processed with packet filtering. Perhaps Disabling pfSense option Allow intra-BSS communication will achieve something like AP isolation mode in DD-WRT (I know little about DD-WRT).

Guest · Apr 8, 2012, 1:10 PM

Yes if AP isolate mode in pfSense or in DD WRT will do this wireless in a very easy way, im gonna use wireless on all my computers since I want client isolation for my whole network.

stephenw10 · Apr 8, 2012, 4:10 PM

@wallabybob:

Perhaps Disabling pfSense option Allow intra-BSS communication will achieve something like AP isolation mode in DD-WRT (I know little about DD-WRT).

Exactly, this is the same option.

Steve