Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Hi everyone,

Thanks for the constructive feedback.

I'll read into the proposed areas such as private vlans and the possible configurations of vlans within dd-wrt.

I now know what some of the terminology used is (private vlan etc) in order to hone in on the correct types of documentation to read.

kind regards,

PS: This reply may not get to you for some time, as I seem to need moderator approval to post to the list.

Pete.LeMay wrote:
To accomplish the isolation, you should take a look at features of the switch.

I found a few articles showing dd-wrt supports multiple vlans that would effectively isolate users on the wireless side. I didn't read anything more than the short description on google though. In the enterprise, I suggest you read up on private vlans.

You could also look at ipsec policies in windows to limit the machines that can talk to each machine.

Hope this points you in the right direction,

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of William Fitzgerald
Sent: Monday, January 25, 2010 11:22 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each machine.

This is just a general question, so that I might better understand the area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.

Any comments or insights are welcomed.

firewall-wizards mailing list

William M. Fitzgerald (MSc, BSc)
PhD Student,
Cork Constraint Computation Centre,
Computer Science Dept.,
University College Cork,

firewall-wizards mailing list

Relevant Pages

  • Re: Was: Using old..IS: Thanks
    ... >and then get Tiny Personal Firewall. ... >machines on your lan will be behind the firewall. ... I'm running 98 on both machines. ...
  • Re: adding another PC to LAN
    ... The wiring and hardware seems to be working as the new PC can access the internet over the LAN, but the new PC cannot see a server or a network printer on the LAN. ... Sharing in Vista. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
  • Re: Was: Using old..IS: Thanks
    ... >>and then get Tiny Personal Firewall. ... Once that is setup, all ... >>machines on your lan will be behind the firewall. ...
  • Re: Routing
    ... 3COM Firewall is at IP= ... > Choose one device to handle LAN routing. ... > Point the DG of all the machines to it. ... There is also a Microsoft RRAS VPN between the 2 sites. ...
  • DNS on LAN
    ... as a firewall using IPCop as a gateway to the web. ... uses a dynamic IP from my ISP so all the machines have web access. ... So question is how to use my domain name behind my firewall in my LAN ... with my server for development. ...