Client needs internet access but no local network access



  • Hello,
    what is the easiest way to give one specific client internet access but prevent any other traffic with other clients on the LAN?
    greetings


  • Netgate

    A managed switch and private VLAN.  Your issue is at layer 2 (switch) not at layer 3 (pfSense/router).



  • You can tick 'Deny unknown cilents' in your DHCP settings and set the MAC address of the specific client you want to have access in the bottom part of the same config page. Then just create a single rule to only allow that one IP out in your firewall rules.


  • Rebel Alliance Global Moderator

    muswellhillbilly reread the OP question.  Pfsense has NO control over a client to talking to other clients on that segment.  Pfsense as layer 3 router/firewall only comes into play when the client wants OFF the segment they are on.

    As Derelict stated if you need to control what client can do with other clients on that segment.. Say your client A is 192.168.1.14/24 and you don't want him talking to 192.168.1.15/24 then private vlans on your switch could solve that problem.

    Or you would have to firewall at the host level to prevent communication between them, or you would have to put the 1 host you want to just have internet on its own vlan that is different than the other clients - then pfsense could control the traffic.

    Other option would be hate to say it but a bridge.  Where the 1 client you want to isolate is on a different interface than the normal 192.168.1.0/24 and pfsense could then firewall that traffic.  Private vlans wold be the way to do this - what switch do you have OP?



  • In other words, PFSense can filter among broadcast domains but cannot filter within one.



  • @Derelict:

    A managed switch and private VLAN.  Your issue is at layer 2 (switch) not at layer 3 (pfSense/router).

    Or an extra network card in pfSense for those specific clients.