5

I have been working with the firewall/router distribution Pfsense for a while now and I have been trying to figure out how to "isolate" a server on my LAN from other computers on my LAN by using deny/reject LAN rules. I have tried adding a rule under Firewall->rules->LAN that denies a device (my phone for example 192.168.1.102) from sending any TCP packets to my web server at 192.168.1.105. For some reason, the packets manage to get though. The odd part is that if I specify the router itself as the destination, and to block the phone/computer from talking with it, it works. I have tested this with a wireless laptop and wireless phone, both on the same subnet.

My topology is as follows:

(internet)->(modem)->(pfsense)->(wireless router /w switch)->(wired devices)
                                            |
                                        (Wireless laptop/phone)
| == wifi
-> == wire

Is it possible the wireless router/switch is just relaying the packets from my phone to the server and completely bypassing the firewall (explaining why my rule isn't working)? If so, how could I set it up so that all LAN traffic has to go though my firewall to talk to any other computer on the network?

Image of the web interface available here as 3 rep won't let me post an image :( image

user99545
  • 253
  • 1
  • 4
  • 6

2 Answers2

12

If two hosts are on the same subnet, the traffic has no reason to go through the router. Your rules are never being applied. The two devices are connected to a switch (or some other Layer 2 networking hardware). Host A says "I want this traffic to go to Host B's IP" and your switch says "Ok, done."

UPDATE: If VLANs are an option, put each host in a separate VLAN. This way, you can enforce routing rules between them and achieve the logical separation you want.

Joel E Salas
  • 5,562
  • 15
  • 25
  • How can I force it to go through (Without ARP poisoning)? Would I need to use a separate NIC to do this? I don't know much about VLANs, but would they be appropriate in this situation? – user99545 Apr 26 '12 at 23:52
  • If you put each host in a separate VLAN, then you can enforce routing rules between them and achieve the logical separation you want. – Joel E Salas Apr 26 '12 at 23:56
  • You could also just put each device (or just the phone) in its own IP subnet, giving the router/firewall an IP address inside each subnet as well. They'd be in the same broadcast domain, so it wouldn't really be secure. But it would work unless the devices deliberately went around it and it wouldn't require a managed switch. (Note that this won't work with some non-standard WiFi setups such as *client bridge* modes provided by some open source firmware.) – David Schwartz Apr 27 '12 at 00:01
  • Another option would be to connect the server to another interface on the firewall, such as the DMZ interface or an optional interface. By nature, firewalls treat each interface as a distinct and separate network, using a different ip address range (network) than the other interfaces. The firewall would then be routing traffic between the devices on each interface, to which your firewall rules would then apply. – joeqwerty Apr 27 '12 at 00:11
0

Perhaps plugging the wired devices (I presume the server sits here) into the pfsense device would allow you to create layer 3 segmentation. Alternatively, if you're running some high end Cisco device, you could setup private vlans.

bangdang
  • 486
  • 2
  • 6