Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Switch with port isolation + OPNsense: Allow communication between devices
« previous
next »
Print
Pages: [
1
]
Author
Topic: Switch with port isolation + OPNsense: Allow communication between devices (Read 31 times)
Apollo3zehn
Newbie
Posts: 2
Karma: 0
Switch with port isolation + OPNsense: Allow communication between devices
«
on:
Today
at 09:22:00 pm »
Hi,
I am setting up a network with a switch and a firewall (OPNsense). Devices connected on the switch should generally not be able to communicate to each other except in rare cases. Internet access is provided by the firewall.
I thought it is a good idea to configure port isolation (private VLAN) on the switch so that port-to-port communication on the switch is forbidden and all communication must go through the firewall*. I would then, in theory, be able to configure a simple firewall rule to allow specific traffic, e.g. device 1 can access device 2 via SSH.
But that is not working I don't know if it is a bug, wrong configuration or not possible by design. The problem is that packets that go from the switch to the firewall are not sent back and so there is no communication between both connected devices.
My question is: Is it somehow possible to sent packets back to the network interface it entered originally?
In case it matters: I have grouped most of the firewall's network interfaces into a transparent filtering bridge. With tcpdump I can see that packets entering on one interface are forwarded to all other interfaces except the one it entered originally.
I hope you can point me in the right direction (or tell me that this is not possible). Thanks in advance!
*
I know that I can configure the switch to use "community ports" to allow specific devices to communicate to each other, but I would prefer to use the firewall as it allows much more fine-grained control over what is allowed and what now. Community ports would allow everything (all ports, all protocols) which is not desired.
Logged
Patrick M. Hausen
Hero Member
Posts: 6272
Karma: 533
Re: Switch with port isolation + OPNsense: Allow communication between devices
«
Reply #1 on:
Today
at 09:26:45 pm »
A layer 3 firewall cannot filter traffic between hosts on the same network / prefix / broadcast domain (3 terms for the same thing). The hosts will try to communicate directly because source and destination are in the same network. They try and fail because of the switch. End of story. The never try to use the default gateway.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Switch with port isolation + OPNsense: Allow communication between devices