[Solved] Would firewall rules allow local traffic if client isolation is on
-
In the following scenario, a port off pfsense goes to an access point which has client isolation on.
Would a rule in pfsense then either allow or disallow devices to talk to each other on that segment allowing me to bypass (selectively?) client isolation?
-
Do you have an example of what you mean?
If clients A and B are on wireless and the AP has isolation on, the AP will not forward traffic between A and B.
If C is wired, then C and A can talk and C and B can talk, but there isn't a way to "route" from A to B via C when they're all in the same subnet.
-
If clients A and B are on wireless and the AP has isolation on, the AP will not forward traffic between A and B.
This is the scenario I mean. If I wrote a rule on the firewall saying to allow opt2 to opt2, would they be able to go
A–->AP--->Firewall-->AP-->B?
(Same AP, just can't really show that in text)
-
That traffic will never hit the firewall.
-
That traffic will never hit the firewall.
^this
Traffic in the same subnet goes via layer 2. In the case of wireless clients, that traffic would never leave the AP, let alone reach the firewall.
-
Ah ok, I was hoping that if it wasn't allowed at the switch level (or the AP) it would just get forwarded to the Firewall.
I need to get a better AP that allows for selective client isolation.
-
wireless selective client isolation?
So you want wireless client A to not be able to talk to B and C, but you want say B and C to be able to talk to each other?
I would just put the clients you don't want talking to each other on ssid 1 turn on isolation, and clients you want to talk to each other ssid 2 and don't enable isolation.
If you put these ssids on different vlans, then you can route that traffic through pfsense at layer 3 and allow whatever traffic you want as selective as you want via IP address of the clients in question.
-
That's what I'd do also. Put the untrusted clients on untrusted SSID with isolation and the others on an SSID that allows full communication.
-
That's what I'd do also. Put the untrusted clients on untrusted SSID with isolation and the others on an SSID that allows full communication.
That's what I would do too if I had control over the machines, but this is on my guest network (which is why I have client isolation on) but one machine needed to be able to do files shares to another. And putting them on two SSIDs wasn't possible as the Windows Firewall doesn't like allowing that communication across subnets.
(If I controlled the machines I could change the Windows firewall to allow for this option, but then again, if I controlled the machines, they wouldn't be on the guest network to begin with)
Oh well, I'll either have to get an AP that does allow for selective isolation, or just tell them it's not possible unless they want to hardwire in.
-
I have never in all my years of networking and wireless before B even heard of this selective isolation your talking about..
As to the windows firewall not allowing communication across subnets?? What?? Where did you pick up that nugget of FUD??
So these users that want to share files don't even know how to manage their own firewalls?
Why don't you just create another SSID for them that doesn't have isolation on that is still isolated from your network?
-
The closest thing to selective isolation I have seen is Private VLANs that have the concept of promiscuous, isolated, and community ports. Trouble is, to have success, ALL devices participating need to understand private VLANs and, in particular, trunking them. Pretty easy to find switches that support it, but I have yet to see endpoint devices (such as multi-SSID APs) that understand them in any meaningful way.
You might be able to accomplish what you're looking for with multiple SSIDs, as has been said. Some APs have a setting to isolate one SSID but not another.
To be honest, you're asking a lot. You have isolation in the radios, in the switches, and on any uplinks, all have to play together and all have to know that Alice should be able to talk to Bob, Bob to Alice, but neither should be able to talk to Charlie - on the same layer 2 network.
-
While I agree in say a hotel setting or starbucks isolation of clients is a good thing to do.. If your on a network where users want to talk to each other for wireless just create a ssid for them that does not have isolation on. Users that wand to talk to each other use that SSID, users that don't want to talk to each other use the other SSID.
It really is that simple..
As Derelict stated what your asking for is pretty freaking complicated.. Now pretty much any modern managed switch will provide for private vlans, Once you throw in the mix of AP or even multiple APs never seen it where you could selectively change the isolation and say client a could talk to b but b and a could not talk to c, etc..
-
I have never in all my years of networking and wireless before B even heard of this selective isolation your talking about..
As to the windows firewall not allowing communication across subnets?? What?? Where did you pick up that nugget of FUD??
From Windows itself. See the attached picture for the default private network SMB-In rule.
So these users that want to share files don't even know how to manage their own firewalls?
Not at all, these are people who would talk about Mozzarella Fox Fire.
Why don't you just create another SSID for them that doesn't have isolation on that is still isolated from your network?
The current setup doesn't support multi-SSID.
Either way, if it's not possible, it's not a problem. I was just asking if it was.
-
that is a setting in the firewall.. Change it.. Or have them turn it off, its a host firewall if they don't how to manage it.. WTF they running it for? ;)
So looks like you need to get new AP that support multiple ssid.
-
that is a setting in the firewall.. Change it.. Or have them turn it off, its a host firewall if they don't how to manage it.. WTF they running it for? ;)
So looks like you need to get new AP that support multiple ssid.
That's what I said…
The Windows firewall blocks file sharing between subnets.
I know you can change it.
These are users joining a guest network because I have no control over their computer.As far as the AP, I agree, but that wasn't the issue.
This whole thing was a yes/no question.
Everything else is fluff, heh.tl;dr I'm good, I got my answer. Thanks for all the info.
-
Ok to answer your question directly - NO!
there is no rule you can put in pfsense to control traffic for devices talking to each other on a segment. Pfsense is a gateway off the network segment, it has nothing to do with devices talking amongst themselves.
-
Ok to answer your question directly - NO!
there is no rule you can put in pfsense to control traffic for devices talking to each other on a segment. Pfsense is a gateway off the network segment, it has nothing to do with devices talking amongst themselves.
Thanks
(Though my question was actually answered on like the third or fourth post. The rest of the topic was about why I was asking, not what I was asking)
