Can Opnsense Manage Traffic Down the Network Stack?

Started by crash, May 05, 2023, 12:03:11 PM

Previous topic - Next topic
hey,
So I was wondering if something like what I have in mind is even a thing, take the network here for example (assume all clients and opnsense are on the same subnet and opnsense is set as the default GW):



can I manage traffic flow rules between clients through opnsense?
Ie. can I block "Client A" from being able to talk to "Client B" ?

I do know switching is done at the switch itself (so in "A talking to B" scenario almost all (if not all) the data passes through the switch itself and doesn't go to the Opnsense(acting here as a firewall+router)),

So is there a way to set a routing rule, on my opnsense box that my switch will respect (like is there a protocol or something that I can set on my mikrotik switch to follow routing rules from up above?)

do I have to get into different routing protocols like OSPF or something?

I don't everything to passthrough the opnsense box just the switch to follow some rules.

If Client A and Client B are in the same subnet then OPNsense dose not support MAC ACL. MAC ACL will be done on the switch. Routing protocols occur between different routers.

you can however, treat every single client as a node and run something like BGP which the protocol would then need to be installed on every Client. you can then set up rules to say who can talk to whom.

I agree with the 1st reply, what you are asking for it not possible with any firewall. Hosts on the same network segment will be able to reach each other on layer-2 (your switch or access point) without touching the firewall.

If you are trying to create a small number of segments, that is exactly what VLANs are meant to accomplish. If you are trying to create a scenario where every client can only reach the firewall (and whatever its rules allow), then that would require some more thought.

Some WiFi systems have an option to prevent client-to-client communication, but of course that only helps for wireless. Fully managed switches can accomplish this, but it doesn't come naturally for them, so expect a pretty complex configuration.

A poor man's approach would be to run OpenVPN within your own network. You would create an OpenVPN server on your LAN interface, create firewall rules that block everything on the LAN interface except for OpenVPN traffic (to force the use of OpenVPN, this doesn't actually stop host-to-host), then configure the VPN client configs to not allow local LAN traffic and block traffic even if VPN is disconnected. This isn't true security, if any two clients simply closed OpenVPN they would then be able to communicate, but you can at least be sure that in such a state they would lose their internet access.