Page 1 of 1

Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 10:56 am
by antonwx
Hello. I need to configure firewall so user with certain IP range (for example 172.16.10.X) will be completely unable to interact with LAN devices, but able to connect to the internet
I need it to work without vlan, because there are some switches in the network which are not supporting 802.1q.
Thanks

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 11:23 am
by xvo
Those of your switches, that "doesn't support 802.1q", won't know anything about your router's firewall rules, and they will gladly pass traffic between different LAN clients.

As for the clients that need access to outside blocked, the solution is pretty straightforward: you need to create a rule in your firewall forward chain that will drop everything with src-address from desired address range and out-interface - your WAN interface, and place this rule higher than the default rule that allow access from lan to the outside.

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 11:27 am
by mkx
If the devices you want to isolate are part of same IP subnet and dispersed around different switches, then it is not possible to do what you're trying to do.
Connectivity between devices within same IP subnet is generally direct ... without using some router. If you can move all "isolated-to-be" devices into one physical branch of network and none of other devices are in same physical branch of network (I'm talking about ethernet layout here), then all communication between these two parts of same subnet will pass common point and if this point is a routerboard, then you can configure bridge filters to disable the connectivity.

However, if you were able to do that, then it would make more sense to have two IP subnets in the first place.

To ammend what @xvo writes: non-VLAN-aware switches are not problem per-se ... but border switches (the ones that VLAN-unaware devices are connected to) have to be VLAN-capable.

@xvo: you managed to miss the point with the second paragraph ... OP wrote that the isolated devices need internet access, so firewall filter dropping packets from those devices toward WAN interface is exactly the opposite of what OP wants.

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 11:35 am
by xvo
@xvo: you managed to miss the point with the second paragraph ... OP wrote that the isolated devices need internet access, so firewall filter dropping packets from those devices toward WAN interface is exactly the opposite of what OP wants.
There was a second part of the question in the initial post, that I was answering with this, but I guess it was scratched out while I was typing :lol:

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 3:47 pm
by anav
Quick question, what if the IP addresses are assigned statically.
Could one not make individual FW rules for each??

Source (badip) allow to internet
Source (badIP) destination !badIP reject.

hmmm I keep forgetting this will not stop layer 2 traffic within a subnet)
- dum switches will connect devices regardless of layer 3 rules

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 4:28 pm
by pe1chl
Hello. I need to configure firewall so user with certain IP range (for example 172.16.10.X) will be completely unable to interact with LAN devices, but able to connect to the internet
I need it to work without vlan, because there are some switches in the network which are not supporting 802.1q.
Thanks
Make sure you have your LAN clients on one set of switches, and your 172.16.10.x clients on another set of switches, not connected to eachother, and connect each set of switches to a different port on the router.
When it is not possible to arrange that, first replace your switches with VLAN-capable switches.
After that, you have 2 different ports (or 2 different VLANs) for your different devices, and you can configure 2 IP ranges on the router and firewall rules.
(e.g. no traffic between the two local networks, but traffic from each of them to internet is allowed)

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 7:36 pm
by antonwx
There was a second part of the question in the initial post, that I was answering with this, but I guess it was scratched out while I was typing :lol:
yeah, sorry, I decided to address one issue at a time and figured another one myself anyway
When it is not possible to arrange that, first replace your switches with VLAN-capable switches.
thanks everyone for answers. I think I will generally move towards this direction. All other ways would be too messy and it's not worth the effort. All I wanted is to just isolate wi-fi clients from interacting with LAN, but whatever, all resources are under passwords anyway and should be safe. Unless another thing like eternalblue suddenly comes

Re: Deny some clients from accessing LAN

Posted: Fri Nov 08, 2019 8:42 pm
by pe1chl
When you have MikroTik accesspoints or other types that can be configured with different SSID going to different VLAN, you could still consider using VLANs.
Remember, when you have totally dumb switches they can often transport VLAN without issue. Only test if they allow 1504 byte MTU (extra 4 bytes for the VLAN tag).

Then you can put your WiFi guests on a tagged VLAN and put a VLAN subinterface in the router to handle that traffic, and it will still be isolated from the LAN because the guests are unable to send untagged traffic.

However, beware that Windows device drivers are often buggy and they will untag and merge all traffic on receive.
So, do not put IPv6 on your guest VLAN or Windows will see the RA and assign itself an IPv6 address from the guest network. :-(
For IPv4 with DHCP this isn't a problem because the DHCP address assignment is a request-response mechanism and systems on the LAN will be unable to make the request.
(unless of course someone adds a tagged VLAN interface on the machine)

VLAN capable managable switches make it all much more reliable because you can specify what traffic goes to what port(s) and if it is tagged or not.