How do I stop workstations from communicating across the lan?

firewalluser

Got a linux workstation and a windows workstation and I'm trying to prevent them from seeing each other but can still get out on the net for some services if they need to for updates.

Whats the best way to achieve this as I've tried a few things but not been successful.

Lan rules:
UDP port 53 (DNS) to the firewall is allowed for each workstation which seems to work but additional rules I've put in to allow any proto to Wan subnet and Wan address for ports 80 & 443 dont work.

What am I doing wrong?

TIA.

2.0.3 AMD 64 release.

dhatz

Well, as long as they're both connected to the same Ethernet switch, there isn't much pfSense can do …

One way would be to put each workstation in a different VLAN.

kejianshi

Get a $20 Gigabit NIC card off off ebay.
Install it.
Enable it as OPT1 on a separate subnet than the other.
Set up your block rules to prevent your 1st and second subnet from passing traffic.

firewalluser

Ok thanks for confirming my suspicion that separate lans is the only way forward.

arch113

I have several VLANS setup.  I would like all VLANS to be able to get out on the net, but not see each other.

current rule for one of the VLANs is:
Pass/Deny    Proto          Source          Port          Dest         Port         Gateway
Block           ipv4*          vlan10 net     *            vlan20 net   *             *
Pass            ipv4*          vlan10 net     *              *             *             *

Computers is vlan10 can still ping computers is vlan20.

How should this be setup instead?

Thanks

phil.davis

Assuming those rules are on vlan10, that should work to block access from vlan10 to vlan20.
I'm not sure what to ask about your config, as it should be quite simple, like you show.
Do a traceroute and make sure the traffic is actually going through pfSense. But I suppose it has to if the 2 computers are in different subnets, there shouldn't be a way for it to magically jump across inside the vlan switch.

kejianshi

What sort of switch is this hooked up too?

daniev

@arch113:

Computers is vlan10 can still ping computers is vlan20.

If you use ping it's ICMP protocol and your rule don't block it.

arch113

@kejianshi:

What sort of switch is this hooked up too?

Cisco Catalyst 3750G

kejianshi

"Do a traceroute and make sure the traffic is actually going through pfSense. But I suppose it has to if the 2 computers are in different subnets, there shouldn't be a way for it to magically jump across inside the vlan switch."

I was concerned that maybe you were using a switch that ignored tagging but seems you are not.
I don't know.  I like the recommendation above.

Also, this could be very important:
"Assuming those rules are on vlan10, that should work to block access from vlan10 to vlan20"

Can you do screen captures and post the actual pfsense firewall menus relevant to this so that we can see that not only do you have correct rules built but they are also built on the correct interfaces?

arch113

I think I got it now, I have been 'playing' with different packages for several weeks now (installing, uninstalling, etc), I decided to reinstall the server with a fresh load and restore from backup, now the rules seem to work.  I will do more test before going into production in the next week or so.

Thanks for all your help.