Isolate clients from a network

Started by Robertomcat, Today at 01:59:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:59:30 PM
Hello, good morning.

I currently have three physically segmented networks: Wi-Fi, LAN, and MQL. All devices within the LAN and Wi-Fi have access to MQL, and I've created a rule for the MQL network to not have access to other networks.

But when I try to create a rule to prevent devices within MQL from communicating with each other within the same network, the devices are unable to access web pages, but they can ping DNS servers and services.

This is the rule, and I have it before the Internet outbound rule. What procedure am I doing wrong?

Action: Block
Interface: MQL
Direction: in
Source: MQL net
Destination: MQL net
Today at 05:05:55 PM #1
Can you post the full ruleset for MQL net?

In general, devices on the same network can directly access each other. The traffic won't pass through the router and therefore your rule won't prevent the devices on the same network to talk to eath other.

Is the client DNS set to the MQL router IP? I would assume that the clients can't resolve anything with that rules, since access to the DNS is blocked.
Deciso DEC740
Today at 07:16:39 PM #2
Quote from: patient0 on Today at 05:05:55 PMCan you post the full ruleset for MQL net?
This rule prevents access to 192.168.1.0/24 - 192.168.2.0/24 - 192.168.18.0/24 from the MQL network:
Action: Block
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: "aliases"


And this other rule grants Internet access:
Action: pass
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: any

I only have these two rules. The others are the ones OPNsense uses by default, plus the ones CrowdSec created, but those are all hidden in the drop-down menu.
Today at 07:25:04 PM #3 Last Edit: Today at 07:27:18 PM by BrandyWine
When would any packets destined to host on the local network ever get to the FW? Never. You can run a host-based FW ruleset to stop the hosts from being able to talk to each other.

There's also a "trick" where you use .1q between FW and a large # port switch, where each host is in it's own vlan ID (one switch port per ID), thus the only way two hosts can talk to each other would be to ride .1q to FW and then back to switch, but you would apply FW rules accordingly. Not 100% this would work with OPNsense.
Print
Go Up Pages1
User actions