Re: NPF Port Range Mapping and Network Segregation

[Greg Troxel <gdt%lexort.com@localhost>]

Pete Long <pete%valar.uk.net@localhost> writes:

> Thanks for the suggestion. Unfortunately I'm still unable to stop packets passing between the two interfaces:
>
> group "wifi" on $wifi_if {
>
> block in final from $localnet
> block out final to $localnet
> pass in all
> pass out all
> }

I think you might have in and out backwards.

The packets that you don't want will be like

  emitted by a device on the wifi interface
  from address: wifi.x
  to address internal.y

so you need to pick one of two strategies

  block this packet from being received on the wifi interface
  block this packet from being transmitted on the internal interface


I would suggest the first.  So that's (totally untested!!)

  within wifi group
    block in final from any to internal 
  
  within internal group
    block in final from any to wifi
    (perhaps) block out final from wifi to any


except that you may want one network to be able to connect to the other,
but not the other way around.  e.g. if  this is "lan" and "iot", you
might want lan to be able to initiate TCP connections form lan to iot,
but not for iot to initiate to lan.

I know this may sound too tutorial, but drawing the interfaces as lines
into the router, and then the packets, and considering each firewall
transition may help in getting this right.  It's a lot of details and
tricky.