Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Hi everyone,

Thanks for the constructive feedback.

I'll read into the proposed areas such as private vlans and the possible configurations of vlans within dd-wrt.

I now know what some of the terminology used is (private vlan etc) in order to hone in on the correct types of documentation to read.

kind regards,

PS: This reply may not get to you for some time, as I seem to need moderator approval to post to the list.

Pete.LeMay wrote:
To accomplish the isolation, you should take a look at features of the switch.

I found a few articles showing dd-wrt supports multiple vlans that would effectively isolate users on the wireless side. I didn't read anything more than the short description on google though. In the enterprise, I suggest you read up on private vlans.

You could also look at ipsec policies in windows to limit the machines that can talk to each machine.

Hope this points you in the right direction,

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of William Fitzgerald
Sent: Monday, January 25, 2010 11:22 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each machine.

This is just a general question, so that I might better understand the area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.

Any comments or insights are welcomed.

firewall-wizards mailing list

William M. Fitzgerald (MSc, BSc)
PhD Student,
Cork Constraint Computation Centre,
Computer Science Dept.,
University College Cork,

firewall-wizards mailing list