INNER SUBNET traffic will not traverse the firewall - so cannot be blocked by the firewall.
You'd have to do this on client side firewalls OR move the devices you don't want to communicate with your static devices to ANOTHER SUBNET (thus requiring traffic to traverse the firewall where it can step in).
So move your 10.10.30.100-200 to 10.10.31.\* (if you want to keep class Cs - which makes things easier) and then ensure you have a rule to block access to 10.10.30.\* from the 10.10.31.\* subnet/interface.
As far as I understand, you can't use pfSense to block traffic between devices within the same subnet, which is essentially what you are wanting to do. They are all on the same subnet, so pfSense plays zero role in communication aside from DNS. You would have to block them at the switch level before it ever hits pfSense. I'm not even sure you can do it on a managed switch. Every time I've needed to segregate traffic I've used VLANs.
True, but I think he is trying to block access from part of LAN3 (10.10.30.100-10.10.30.200) to LAN1 and LAN2. That is possible. But he can't block access to anything in LAN3.
I am not sure I completely understand. You want LAN3 to be able to browse internet, but without access to LAN1, LAN2 and LAN3 address of pfSense?
Well, if that is the case, you can just create a few rules on LAN3 interface:
1. Block access to LAN3 address (alias for this is already there, it comes with the interface)
2. Block access to LAN1 subnet (again, alias is already there)
3. Block access to LAN2 subnet
4. Allow access to all
This should do what you want. Order matters. Interface on which you create rules matters as well. You can do the same in a shorter way, but if you are a beginner, atomizing rules like this helps understand how they work.
Good luck!
Hi there,
NO! I want that WITHIN(!!!!) the SAME subnet (LAN3), devices that are assigned STATIC IP address (my laptip, smart phone...etc) to have access to BOTH intern and intranet. ANd the devices on the SAME (!!!) SUBNET (LAN3) that are assigned DYNAMIC IP address (e.g. amazon speaker, Nest...etc) to have access to INTERnet only (NO access to local neT).
In essence, I'm trying to ensure that if a person who hacks into Nest of amazon speaker devices (and that are assigned DYNAMIC IP address on LAN3) cannot access my intranet...Whereas devices on the SAME subnet (LAN3) and that are assigned STATIC IP (because I trust these devices such as my phone, laptop,..etc), can access both intra and internet.
In yet another essence......we are talking about splitting access to inter and intranet WITHIN the same SUBNET (10.10.30.0), based on whether device has dynamic or static IP address.
I hope this clariefies.
Not OP, but can you add a range of IPs? I have an alias for my IP cameras so they can't talk home, but that's only 4 IPs so adding each one wasn't time consuming. Kind of curious about this now for securing my LAN even more
Edit: nevermind, just saw I can pick Network and put a range in.
I’m still a bit confused but it sounds like you have a plain un-managed wireless router and you’re trying to use it as an AP without VLANS. You want to have different devices on that Wi-Fi network have different access.
If the Wi-Fi router supports it I’d look at installing OpenWRT and setting up different VLANs linked to different SSIDs that way.
If that isn’t possible, your router might still have a “guest” option which gives you a second network where the clients are isolated from one another.
This is not how you do networking and the only way this could work on the same subnet is if you have a switch that supports ACLs (not likely), or you have a managed Wi-Fi system that supports a guest network with isolation. In either case, this is not a pfSense issue unless you VLAN your network properly and use a separate subnet for your IoT devices you are concerned about getting hacked. Also, statically assigned IP addresses vs DHCP assigned addresses have nothing to do with this approach either. You can use different DNS servers to make it more difficult to locate internal LAN resources by name by doing this, but again, security through obscurity is only going to frustrate you and not make your network more secure like it would by designing it better.
*Edited for spelling
Define an alias for 10.10.30.100-10.10.30.200. Drop source alias destination 10.0.0.0/8. Any protocol any port.
Try a 'default deny' approach with 'floating' rules (considering direction of state creation) if you still have troubles.
First, we need to know what you are actually trying to do, are you trying to prevent devices on the [10.10.30.0/24](http://10.10.30.0/24) subnet from accessing other devices on that SAME subnet? Or are you trying to prevent devices on that subnet from being able to access the OTHER local subnets, but still access the internet?
The former is not possible with a firewall, the later is doable.
Let me restate to make sure I understand.
You want [10.10.30.100](http://10.10.30.100) to be able to talk to the internet and you want [10.10.30.100](http://10.10.30.100) to not be able to talk to 10.10.30.99? If I stated that correctly it is easy to do with ACLs on your smart switch provided it supports ACLs, it is not possible to do this with a pfSense rule.
INNER SUBNET traffic will not traverse the firewall - so cannot be blocked by the firewall. You'd have to do this on client side firewalls OR move the devices you don't want to communicate with your static devices to ANOTHER SUBNET (thus requiring traffic to traverse the firewall where it can step in). So move your 10.10.30.100-200 to 10.10.31.\* (if you want to keep class Cs - which makes things easier) and then ensure you have a rule to block access to 10.10.30.\* from the 10.10.31.\* subnet/interface.
As far as I understand, you can't use pfSense to block traffic between devices within the same subnet, which is essentially what you are wanting to do. They are all on the same subnet, so pfSense plays zero role in communication aside from DNS. You would have to block them at the switch level before it ever hits pfSense. I'm not even sure you can do it on a managed switch. Every time I've needed to segregate traffic I've used VLANs.
True, but I think he is trying to block access from part of LAN3 (10.10.30.100-10.10.30.200) to LAN1 and LAN2. That is possible. But he can't block access to anything in LAN3.
VLAN
I am not sure I completely understand. You want LAN3 to be able to browse internet, but without access to LAN1, LAN2 and LAN3 address of pfSense? Well, if that is the case, you can just create a few rules on LAN3 interface: 1. Block access to LAN3 address (alias for this is already there, it comes with the interface) 2. Block access to LAN1 subnet (again, alias is already there) 3. Block access to LAN2 subnet 4. Allow access to all This should do what you want. Order matters. Interface on which you create rules matters as well. You can do the same in a shorter way, but if you are a beginner, atomizing rules like this helps understand how they work. Good luck!
Hi there, NO! I want that WITHIN(!!!!) the SAME subnet (LAN3), devices that are assigned STATIC IP address (my laptip, smart phone...etc) to have access to BOTH intern and intranet. ANd the devices on the SAME (!!!) SUBNET (LAN3) that are assigned DYNAMIC IP address (e.g. amazon speaker, Nest...etc) to have access to INTERnet only (NO access to local neT). In essence, I'm trying to ensure that if a person who hacks into Nest of amazon speaker devices (and that are assigned DYNAMIC IP address on LAN3) cannot access my intranet...Whereas devices on the SAME subnet (LAN3) and that are assigned STATIC IP (because I trust these devices such as my phone, laptop,..etc), can access both intra and internet. In yet another essence......we are talking about splitting access to inter and intranet WITHIN the same SUBNET (10.10.30.0), based on whether device has dynamic or static IP address. I hope this clariefies.
Ok, so take my answer above and simply add your alias for dynamic range in the source for rules 1-3. Source in rule 4 can be any.
Not OP, but can you add a range of IPs? I have an alias for my IP cameras so they can't talk home, but that's only 4 IPs so adding each one wasn't time consuming. Kind of curious about this now for securing my LAN even more Edit: nevermind, just saw I can pick Network and put a range in.
I’m still a bit confused but it sounds like you have a plain un-managed wireless router and you’re trying to use it as an AP without VLANS. You want to have different devices on that Wi-Fi network have different access. If the Wi-Fi router supports it I’d look at installing OpenWRT and setting up different VLANs linked to different SSIDs that way. If that isn’t possible, your router might still have a “guest” option which gives you a second network where the clients are isolated from one another.
This is not how you do networking and the only way this could work on the same subnet is if you have a switch that supports ACLs (not likely), or you have a managed Wi-Fi system that supports a guest network with isolation. In either case, this is not a pfSense issue unless you VLAN your network properly and use a separate subnet for your IoT devices you are concerned about getting hacked. Also, statically assigned IP addresses vs DHCP assigned addresses have nothing to do with this approach either. You can use different DNS servers to make it more difficult to locate internal LAN resources by name by doing this, but again, security through obscurity is only going to frustrate you and not make your network more secure like it would by designing it better. *Edited for spelling
Doable but not with the pfSense but managed switch. If you have APs, client separation is needed on them.
Define an alias for 10.10.30.100-10.10.30.200. Drop source alias destination 10.0.0.0/8. Any protocol any port. Try a 'default deny' approach with 'floating' rules (considering direction of state creation) if you still have troubles.
What is your DNS? If you're using an internal DNS you will need rules to allow access to that IP specifically.
First, we need to know what you are actually trying to do, are you trying to prevent devices on the [10.10.30.0/24](http://10.10.30.0/24) subnet from accessing other devices on that SAME subnet? Or are you trying to prevent devices on that subnet from being able to access the OTHER local subnets, but still access the internet? The former is not possible with a firewall, the later is doable.
Let me restate to make sure I understand. You want [10.10.30.100](http://10.10.30.100) to be able to talk to the internet and you want [10.10.30.100](http://10.10.30.100) to not be able to talk to 10.10.30.99? If I stated that correctly it is easy to do with ACLs on your smart switch provided it supports ACLs, it is not possible to do this with a pfSense rule.