Re: How to blocks clients between them in subnet
Hello, On Mon, Jul 18, 2016 at 01:26:42PM +0100, Darac Marjal wrote: > (you can't assume that eth0 talks to 192.168.1.0/24 and eth1 talks > to 192.168.2.0/24, for example). It's not impossible, but needs a > bit more care. ebtables could enforce that but I agree it is much more hassle than physical separation, or a switch with different ports and vlans. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting > I'd be interested to hear any (even two word) reviews of their sofas… Provides seating.— Andy Davidson
Re: How to blocks clients between them in subnet
On Mon, Jul 18, 2016 at 02:18:03PM +0200, Pol Hallen wrote: I all I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24 I'd like blocks clients on 192.168.2.0/24 between then in same network. So, client1 can go to 192.168.1.0/24 but can't see other clients in 192.168.2.0/24. And so for all clients. IMO, your best bet is to physically isolate the networks. 192.168.1.0/24 clients are on one switch, and 192.168.2.0/24 clients are on another switch. Only a single gateway host connects the two switches, and all clients must route through this host to reach the other network. If both clients are on a shared network segment, then what's to stop a 192.168.1.0/24 client adding a 192.168.2.0/24 IP to their network adapter and talking directly? If you trust the hosts not to do that, then you could still work as above, but note that firewall rules will become a bit more complex (you can't assume that eth0 talks to 192.168.1.0/24 and eth1 talks to 192.168.2.0/24, for example). It's not impossible, but needs a bit more care. Any idea? thanks! Pol -- For more information, please reread. signature.asc Description: PGP signature
Re: How to blocks clients between them in subnet
Hi Pol, On Mon, Jul 18, 2016 at 02:18:03PM +0200, Pol Hallen wrote: > I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24 > > I'd like blocks clients on 192.168.2.0/24 between then in same network. > > So, client1 can go to 192.168.1.0/24 but can't see other clients in > 192.168.2.0/24. And so for all clients. I'm having difficulty visualising what you're asking. Depending on what the IP address of client1 is it could be a very different question. You say "client1 […] can't see other clients in 192.168.2.0/24" so I will have to assume that client1 is also in 192.168.2.0/24. But then it isn't clear why you mention the other 192.168.1.0/24 network at all. Anyway, if your problem is that you have multiple hosts in the same layer 3 network (192.168.1.0/24) but you don't want them to talk to each other: Presumably they are all connected to the same switch(es), which may have layer 3 firewalling capabilities, but these will be of no use since they won't see the layer 3 traffic like a router does. In an ideal world you'd use VLANs and have the different switch ports in different networks. Note that just putting hosts in different networks won't be enough; it would stop them talking to devices outside their network by default, but they could just add a static route themselves. Your switch may have layer 2 firewalling capabilities. If your switch is actually a Linux box then it certainly does have layer 2 firewalling; this is provided by a thing called ebtables. After you've put all interfaces of your switch in a software bridge it can be as simple as: # ebtables -P FORWARD DROP Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting
Re: How to blocks clients between them in subnet
On Mon 18 Jul 2016 at 16:37:25 (-0300), Henrique de Moraes Holschuh wrote: > On Mon, 18 Jul 2016, Bonno Bloksma wrote: > > This looks to be impossible. The whole idea of having 1 network > > segment is that members can communicate directly over layer 2 without > > ant router/firewall in between. > > Actually, it is very much possible, but it needs cooperation from the > network equipment (switch or wireless AP/router). > > https://en.wikipedia.org/wiki/Private_VLAN > > Wireless APs and routers often have a feature that can be enabled to > "isolate clients" which is similar to a private vlan where all ports are > private except for the uplink. Is this what home routers do if you configure the Guest Network option? I see the checkboxes: . Enable Guest Network ☐ . Enable Wireless Isolation ☐ . Enable SSID Broadcast ☑ . Allow guests to access My Local Network ☐ on my Netgear router screens. Or would the guests still be able to see each other (but not the non-guest users like me)? Cheers, David.
Re: How to blocks clients between them in subnet
On Mon, 18 Jul 2016, Bonno Bloksma wrote: > This looks to be impossible. The whole idea of having 1 network > segment is that members can communicate directly over layer 2 without > ant router/firewall in between. Actually, it is very much possible, but it needs cooperation from the network equipment (switch or wireless AP/router). https://en.wikipedia.org/wiki/Private_VLAN Wireless APs and routers often have a feature that can be enabled to "isolate clients" which is similar to a private vlan where all ports are private except for the uplink. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Re: How to blocks clients between them in subnet
On Monday, July 18, 2016 10:11:24 AM Bonno Bloksma wrote: > > I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24 > > Ok, 2 different network segment and something between that might stop > unwanted communication > > > I'd like blocks clients on 192.168.2.0/24 between then in same network. > > > > So, client1 can go to 192.168.1.0/24 but can't see other clients in > > 192.168.2.0/24. And so for all clients. > > This looks to be impossible. The whole idea of having 1 network segment is > that members can communicate directly over layer 2 without ant > router/firewall in between. I don't fool with my network that often, but, if you have less than ~252 clients, I think you could put each on its own network (e.g., 192.168.2.1, 192.168.3.1, 192.168.4.1, ... 192.168.254.1).
RE: How to blocks clients between them in subnet
Hi, > I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24 Ok, 2 different network segment and something between that might stop unwanted communication > I'd like blocks clients on 192.168.2.0/24 between then in same network. > > So, client1 can go to 192.168.1.0/24 but can't see other clients in > 192.168.2.0/24. And so for all clients. This looks to be impossible. The whole idea of having 1 network segment is that members can communicate directly over layer 2 without ant router/firewall in between. Bonno Bloksma
How to blocks clients between them in subnet
I all I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24 I'd like blocks clients on 192.168.2.0/24 between then in same network. So, client1 can go to 192.168.1.0/24 but can't see other clients in 192.168.2.0/24. And so for all clients. Any idea? thanks! Pol
