Blocking access of user on the same subnet

oragon · Oct 20, 2012, 6:26 PM

how do i block a user from different ip in accessing another one the same subnet? For example, user on 192.168.1.1 is not permitted to access the 192.168.1.2. thanks for the reply

gderf · Oct 20, 2012, 6:35 PM

If both machines are connected to the same switch, and the switch is uplinked to the firewall, then traffic between the two machines is not controlled by the firewall because it never goes thru it.

oragon · Oct 20, 2012, 6:53 PM

thanks for the reply. yes they are both connected to the same switch which is turn connected to the pc with pfsense installed in it. The reason for the question is because I want my wifi (captiveportal) users not to have access to the LAN of our shop. Right now I am running pfsense on VMWARE with one NIC only. I guess, the other way to block the access to each other if I add another NIC which is dedicated to the wifi. Any other thoughts?

johnpoz · Oct 20, 2012, 8:45 PM

Yes your going to need more than 1 segment if you want to isolate traffic between segments. There is no way to filter traffic between users on the same segment at pfsense which is just the gateway OFF the segment.

You could filter between interfaces that were a bridge - but you would still need another interface if you wanted to go that route.

oragon · Oct 20, 2012, 9:11 PM

thanks johnpoz.

Guest · Nov 30, 2012, 7:56 PM

You could go a little crazy with DHCP if you wanted. If the users are not admins, then on the DHCP you can hand out a specific IP and lock it down via subnet mask. It's a cheaper way of lan segregation. I'm horrible at subnetting but with a little googling you could get this done.

cmb · Nov 30, 2012, 9:15 PM

@heavy1metal:

You could go a little crazy with DHCP if you wanted. If the users are not admins, then on the DHCP you can hand out a specific IP and lock it down via subnet mask. It's a cheaper way of lan segregation. I'm horrible at subnetting but with a little googling you could get this done.

Don't do that. That accomplishes nothing. You need proper segregation, using VLANs, or a separate physical network.

Guest · Dec 3, 2012, 4:14 PM

To better educate myself, what would subnetting computers risk? The biggest risk I can think of is a foreign PC physically connecting, but wouldn't it pose equal if not more threat to VLANs?

"That accomplishes nothing." - I assume you imply it is a weak method of segregating and not that it does nothing correct?

I'm only ankle high (if that) in the world of networking but I don't want to recommend wrong information or better yet - use the bad knowledge. I simply like to understand why more than just being told "no / won't work," helps me retain the knowledge.

cmb · Dec 3, 2012, 11:24 PM

Right, it doesn't accomplish what the OP wants to accomplish in any effective fashion.

First, it's really ugly. Some OSes will accept something silly like a /32 mask and still ARP their default gateway even though that's technically wrong behavior (shouldn't ARP things that aren't on a locally-connected subnet on Ethernet), but some won't. So it won't work for every OS.

Second, it does nothing for a number of the risks introduced by a compromised machine. ARP poisoning tools, anything else at layer 2, potentially amongst other things.

The biggest issue is it does nothing to provide real isolation. Anyone who can reconfigure a machine or plug in something else can get to whatever they want. Provides absolutely no protection at layer 2.

In short - separating hosts with something that's ugly, ineffective, and easily gotten around, isn't a solution.