Block access between computers on LAN



  • A simple question:
    How can you block access between computers on the LAN and still allow each computer access to WAN and the Internet? I have searched this forum and the Internet for a solution. I came across this guy who obviously is struggling with a similar problem: http://pnijjar.freeshell.org/2013/pfsense-isolate/ . His attempts seem very complex and he is not sure that his final solution is working properly.

    Is there a simple solution to this (seemingly) simple problem in pfSense? LAN rules? Aliases? A picture of a pfSense LAN rule table enabling this would be helpful.


  • Banned

    @Ip:

    How can you block access between computers on the LAN

    You cannot, the traffic will never hit the router.



  • That is the definition of LAN - it is a broadcast network. To do something you can try at layer2. Have managed switches where you tell them which MAC address is allowed on which port. Even then, a smart user can spoof their MAC address…
    Alternatively, put every device on its own port on the router (physical or VLAN) with its own litle subnet. Then they all have to route to talk to each other and pfSense can control it.



  • @phil.davis:

    That is the definition of LAN - it is a broadcast network. To do something you can try at layer2. Have managed switches where you tell them which MAC address is allowed on which port. Even then, a smart user can spoof their MAC address…
    Alternatively, put every device on its own port on the router (physical or VLAN) with its own litle subnet. Then they all have to route to talk to each other and pfSense can control it.

    Ok, if we forget about the correct definitions for a moment and just concentrate on what I want to achieve. I want to block communication between my computers and only let them have access to the Internet independently. Are you saying that this is impossible or impractical using firewall rules in pfSense? Do I need a hardware solution, separate NICs for each subnet, switches etc?



  • If you connect 2 clients to an unmanaged switch, then they can talk to each other, regardless of what else is on the switch (like a router of any brand).
    Layer2 approach:
    If you use a managed switch, then, if it is smart enough, you can tell it which MAC addresses are allowed where, and which port/s can and cannot talk to other ports. Its been a few years since I did this sort of thing, so I am not up-to-speed with what brands/models of switch have all the functionality needed.
    You need to be able to define:
    "Master port" for pfSense router, that has permission to send/receive any MAC address and broadcast.
    "Client ports" that learn just the single MAC connected to them, broadcasts from them (like ARP) and any other packets transmitted are only echoed to "Master port" and not the other "Client ports" (so they cannot use ARP to learn about other clients, or even transmit at the MAC address level to another client)…

    Otherwise a layer 3 approach - every client (or trusted client group) goes in a separate subnet that is on a separate broadcast domain. pfSense firewals between them.



  • @phil.davis:

    If you connect 2 clients to an unmanaged switch, then they can talk to each other, regardless of what else is on the switch (like a router of any brand).
    Layer2 approach:
    If you use a managed switch, then, if it is smart enough, you can tell it which MAC addresses are allowed where, and which port/s can and cannot talk to other ports. Its been a few years since I did this sort of thing, so I am not up-to-speed with what brands/models of switch have all the functionality needed.
    You need to be able to define:
    "Master port" for pfSense router, that has permission to send/receive any MAC address and broadcast.
    "Client ports" that learn just the single MAC connected to them, broadcasts from them (like ARP) and any other packets transmitted are only echoed to "Master port" and not the other "Client ports" (so they cannot use ARP to learn about other clients, or even transmit at the MAC address level to another client)…

    Otherwise a layer 3 approach - every client (or trusted client group) goes in a separate subnet that is on a separate broadcast domain. pfSense firewals between them.

    Thanks Phil for clarifying this to me. I guess that I have to add a third NIC to my pfSense PC. Is it possible to add a NIC without reinstalling pfSense or do I have to start from the beginning with a pfSense CD?



  • Just shut it down, add the nic, boot it up, and go to interfaces, assign.



  • @dotdash:

    Just shut it down, add the nic, boot it up, and go to interfaces, assign.

    Nice to hear! Thank you.



  • How about segmenting your LAN?
    Ex: If your LAN is 192.168.1.0/24
    you can have other subnets of like 192.168.2.0/24  192.168.3.0/24 and isolate those subnets. Computers in 192.168.2.0/24 will not talk to 192.168.3.0/24.

    Another way is to have VLANS, you can do that using switches too.



  • If you want to block two computers from talking to each other via an independent firewall, you need to FORCE those two computers to have to go through the firewall. There are two simple ways to do this.

    1. Make your firewall the "switch". Don't use a different switch, but add a separate network card on your firewall for each computer that needs to connect. Then you can set firewall rules per interface to block the interfaces from talking

    2. VLANs. Place each computer in its own VLAN so they can't talk to each other and register each VLAN with the firewall. This means having a different subnet for each computer.



  • Thank you for your help, all of you. When setting up pfSense I bought and installed two NICs. I have a third NIC on the motherbord. Now I have three interfaces: WAN, LAN and OPT1. I use firewall rules to block LAN from OPT1 and OPT1 from LAN. It is working great! My kid and his friends have a "LAN party" right now all on the OPT1 interface. My computers are isolated from them on the LAN interface 8)


Log in to reply