Solved LAN with mixed wireless and wired devices

M

mefizto

Greetings all,

I have wireless and wired devices on a LAN configured with sub-net 192.168.0.0/24. A snippet of pf.conf of the wired device:
Code: 
. . .
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,255.255.255.255 }"
. . .
# Drop packets from non-routable addresses immediately
block drop in quick on $ext_if from $nonroute to any
. . .
# Allow ICMP
pass in quick on $ext_if inet proto icmp to ($ext_if) icmp-type 8 code 0 keep state
. . .
shows that I am blocking all non-routable private addresses on the external interface, with the intent that since the devices are on the same LAN, the switching among them will happen on layer 2, thus layer 3 (the IP address), will not be implicated and the packets will not be blocked by the nonroute rule. At the same time I allow echorequest for testing purposes.

However, the echorequest has been failing and I have determined, by commenting out the nonroute rule, that the packets from the wireless device is blocked by the nonroute rule. So thinking about the issue, it may be my networking ignorance and not pf.conf mis-configuration.

Since the searches do not return anything useful, any advice or reference would be appreciated.

Kindest regards,

M
 
mefizto said:
shows that I am blocking all non-routable private addresses on the external interface, with the intent that since the devices are on the same LAN, the switching among them will happen on layer 2, thus layer 3 (the IP address), will not be implicated and the packets will not be blocked by the nonroute rule.
Click to expand...
Switching typically happens on layer 2, yes. But connections are layer 3/4 and therefor hit your block rule.

At the same time I allow echorequest for testing purposes.
Click to expand...
It never gets there because processing of the packet stops at the nonroute block rule due to the quick keyword and therefor never reaches the pass rule.
 
Hi SirDice,

you are correct. I have done some additional reading and the layer 2 switch needs layer 3 information to even build the layer 2 MAC association.

So what is the optimal solution? Delete the 192.168.0.0/16 from the table? Write a rule excepting the addresses on my LAN?

Kindest regards,
 
What is the purpose of the FreeBSD machine? The simplest solution is of course to allow the local traffic and block everything else.
 
Hi SirDice,

the machine is a laptop that is often not behind a central firewall, hence the local pf firewall. I am trying to find a solution different from turning the local pf firewall on/off and potentially forget to turn it on when needed.

Kindest regards,

M
 
You could use something like this:
Code: 
block in on $ext_if from ! $ext_if:network to any
That will block everything that's not originating from the same network as the $ext_if interface.
 
Hi SirDice,

thank you for the exact rule. That is what I meant by "Writ[ing] a rule excepting the addresses on my LAN."

Kindest regards,
 
You must log in or register to reply here.
Back
Top