Restricting access to guests in LAN
I plan to reserve 4 ports of the 24+ port switch for in-house guests for connecting to the LAN via cable.
They will get their IP from local DHCP in the same subnet as the rest of the LAN.
They may:
use only some permitted protocols: icmp, tcp, udp, …
access only some permitted server-services (IP:port/proto) in the LAN
Thanks, yes, KISS principle is always good.
But are you suggesting the use of multiple firewalls on the device (L2 FW and L3/4 FW)?
Since I already need to use the ACL FW for normal LAN users, I was thinking that I should handle all FW stuff in just one ROS location and
avoid the use of multiple FWs (as there are FW filters under I think at least 4 different locations possible in ROS, IIRC).
Stateless FW, ie. w/o conntrack, is ok for me (I just hope it will be enough, as up till now on Linux clients I mostly used iptables with some minimal conntrack). I mean somehow to eliminate the conntrack usage, ie. using a similar substitute by using some clever rules, maybe with some packet marking, if possible.
This all is still in the early planning phase as I haven’t used the ACL yet.
As you see many other reply to your post that your should not use L2 Firewall. You need then to handle one and one mac/ip address.
How do you know someone does not fake mac so they get changed to the other side of the firewall?
One way to handle that is 802.1x. It will give you a much more work and not all devices support it like printer/iot etc, so then you need to maualy handle mac with mab (mac based authentication)
