• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking access of user on the same subnet

Scheduled Pinned Locked Moved Firewalling
9 Posts 5 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    oragon
    last edited by Oct 20, 2012, 6:26 PM

    how do i block a user from different ip in accessing another one the same subnet? For example, user on 192.168.1.1 is not permitted to access the 192.168.1.2. thanks for the reply

    1 Reply Last reply Reply Quote 0
    • G
      gderf
      last edited by Oct 20, 2012, 6:35 PM

      If both machines are connected to the same switch, and the switch is uplinked to the firewall, then traffic between the two machines is not controlled by the firewall because it never goes thru it.

      1 Reply Last reply Reply Quote 0
      • O
        oragon
        last edited by Oct 20, 2012, 6:53 PM

        thanks for the reply. yes they are both connected to the same switch which is turn connected to the pc with pfsense installed in it. The reason for the question is because I want my wifi (captiveportal) users not to have access to the LAN of our shop. Right now I am running pfsense on VMWARE with one NIC only. I guess, the other way to block the access to each other if I add another NIC which is dedicated to the wifi. Any other thoughts?

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Oct 20, 2012, 8:45 PM

          Yes your going to need more than 1 segment if you want to isolate traffic between segments.  There is no way to filter traffic between users on the same segment at pfsense which is just the gateway OFF the segment.

          You could filter between interfaces that were a bridge - but you would still need another interface if you wanted to go that route.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • O
            oragon
            last edited by Oct 20, 2012, 9:11 PM

            thanks johnpoz.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by Nov 30, 2012, 7:56 PM

              You could go a little crazy with DHCP if you wanted. If the users are not admins, then on the DHCP you can hand out a specific IP and lock it down via subnet mask. It's a cheaper way of lan segregation. I'm horrible at subnetting but with a little googling you could get this done.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Nov 30, 2012, 9:15 PM

                @heavy1metal:

                You could go a little crazy with DHCP if you wanted. If the users are not admins, then on the DHCP you can hand out a specific IP and lock it down via subnet mask. It's a cheaper way of lan segregation. I'm horrible at subnetting but with a little googling you could get this done.

                Don't do that. That accomplishes nothing. You need proper segregation, using VLANs, or a separate physical network.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by Dec 3, 2012, 4:14 PM

                  To better educate myself, what would subnetting computers risk? The biggest risk I can think of is a foreign PC physically connecting, but wouldn't it pose equal if not more threat to VLANs?

                  "That accomplishes nothing." - I assume you imply it is a weak method of segregating and not that it does nothing correct?

                  I'm only ankle high (if that) in the world of networking but I don't want to recommend wrong information or better yet - use the bad knowledge. I simply like to understand why more than just being told "no / won't work," helps me retain the knowledge.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by Dec 3, 2012, 11:24 PM

                    Right, it doesn't accomplish what the OP wants to accomplish in any effective fashion.

                    First, it's really ugly. Some OSes will accept something silly like a /32 mask and still ARP their default gateway even though that's technically wrong behavior (shouldn't ARP things that aren't on a locally-connected subnet on Ethernet), but some won't. So it won't work for every OS.

                    Second, it does nothing for a number of the risks introduced by a compromised machine. ARP poisoning tools, anything else at layer 2, potentially amongst other things.

                    The biggest issue is it does nothing to provide real isolation. Anyone who can reconfigure a machine or plug in something else can get to whatever they want. Provides absolutely no protection at layer 2.

                    In short - separating hosts with something that's ugly, ineffective, and easily gotten around, isn't a solution.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received