Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I stop workstations from communicating across the lan?

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 6 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firewalluser
      last edited by

      Got a linux workstation and a windows workstation and I'm trying to prevent them from seeing each other but can still get out on the net for some services if they need to for updates.

      Whats the best way to achieve this as I've tried a few things but not been successful.

      Lan rules:
      UDP port 53 (DNS) to the firewall is allowed for each workstation which seems to work but additional rules I've put in to allow any proto to Wan subnet and Wan address for ports 80 & 443 dont work.

      What am I doing wrong?

      TIA.

      2.0.3 AMD 64 release.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by

        Well, as long as they're both connected to the same Ethernet switch, there isn't much pfSense can do …

        One way would be to put each workstation in a different VLAN.

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          Get a $20 Gigabit NIC card off off ebay.
          Install it.
          Enable it as OPT1 on a separate subnet than the other.
          Set up your block rules to prevent your 1st and second subnet from passing traffic.

          1 Reply Last reply Reply Quote 0
          • F
            firewalluser
            last edited by

            Ok thanks for confirming my suspicion that separate lans is the only way forward.

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • arch113A
              arch113
              last edited by

              I have several VLANS setup.  I would like all VLANS to be able to get out on the net, but not see each other.

              current rule for one of the VLANs is:
              Pass/Deny    Proto          Source          Port          Dest         Port         Gateway
              Block           ipv4*          vlan10 net     *            vlan20 net   *             *
              Pass            ipv4*          vlan10 net     *              *             *             *

              Computers is vlan10 can still ping computers is vlan20.

              How should this be setup instead?

              Thanks

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Assuming those rules are on vlan10, that should work to block access from vlan10 to vlan20.
                I'm not sure what to ask about your config, as it should be quite simple, like you show.
                Do a traceroute and make sure the traffic is actually going through pfSense. But I suppose it has to if the 2 computers are in different subnets, there shouldn't be a way for it to magically jump across inside the vlan switch.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  What sort of switch is this hooked up too?

                  1 Reply Last reply Reply Quote 0
                  • D
                    daniev
                    last edited by

                    @arch113:

                    Computers is vlan10 can still ping computers is vlan20.

                    If you use ping it's ICMP protocol and your rule don't block it.

                    1 Reply Last reply Reply Quote 0
                    • arch113A
                      arch113
                      last edited by

                      @kejianshi:

                      What sort of switch is this hooked up too?

                      Cisco Catalyst 3750G

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        "Do a traceroute and make sure the traffic is actually going through pfSense. But I suppose it has to if the 2 computers are in different subnets, there shouldn't be a way for it to magically jump across inside the vlan switch."

                        I was concerned that maybe you were using a switch that ignored tagging but seems you are not.
                        I don't know.  I like the recommendation above.

                        Also, this could be very important:
                        "Assuming those rules are on vlan10, that should work to block access from vlan10 to vlan20"

                        Can you do screen captures and post the actual pfsense firewall menus relevant to this so that we can see that not only do you have correct rules built but they are also built on the correct interfaces?

                        1 Reply Last reply Reply Quote 0
                        • arch113A
                          arch113
                          last edited by

                          I think I got it now, I have been 'playing' with different packages for several weeks now (installing, uninstalling, etc), I decided to reinstall the server with a fresh load and restore from backup, now the rules seem to work.  I will do more test before going into production in the next week or so.

                          Thanks for all your help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.