Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

VLAN's on L3 switches is what instantly springs to mind. Alternatively
as you suggest ACL's on the L3 switch itself between all the machines
on that switch is another option.

How about something like this though? Say the LAN is
The machines all have their gateway set to Don't
have any routes on the switch apart from a default one pointing to the
firewall which can be on another network ( - one port on
the switch also on this network( So all traffic gets
forced through the firewall instead of being forcefully routed on the
switch itself.Logically this sounds ok to me - I haven't actually
tested this - but it might work.


On Mon, Jan 25, 2010 at 9:51 PM, William Fitzgerald
<wfitzgerald@xxxxxxxxx> wrote:
Dear all,

I was just wondering how people control access amongst machines on the same
subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another network,
the firewall will not protect machines behind the firewall from each other.
Perhaps as a result of the built-in switch, packets don't get up to layer 3
and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to
each other, perhaps by layer 3 filtering. For example, it may make sense to
prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN
packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each

This is just a general question, so that I might better understand the area
of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from
Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a
practical thing to do.

Any comments or insights are welcomed.

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Adjunto 24k ! Error conexión remota 2003 SBS
    ... He habilitado la conexión remota de sbs 2003 para trabajadores que acceden ... Servidor 2003 SBS con 1 tarjeta de red, IP de clase C, conectada a switch ... Internamente desde Lan funciona todo a las 1000 maravillas. ... Problemas del firewall? ...
  • Re: Was: Using old..IS: Thanks
    ... >and then get Tiny Personal Firewall. ... >machines on your lan will be behind the firewall. ... I'm running 98 on both machines. ...
  • Re: adding another PC to LAN
    ... The wiring and hardware seems to be working as the new PC can access the internet over the LAN, but the new PC cannot see a server or a network printer on the LAN. ... Sharing in Vista. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
  • Re: Was: Using old..IS: Thanks
    ... >>and then get Tiny Personal Firewall. ... Once that is setup, all ... >>machines on your lan will be behind the firewall. ...
  • Re: Routing
    ... 3COM Firewall is at IP= ... > Choose one device to handle LAN routing. ... > Point the DG of all the machines to it. ... There is also a Microsoft RRAS VPN between the 2 sites. ...