Re: NPF Port Range Mapping and Network Segregation

[Pete Long <pete%valar.uk.net@localhost>]

> On 22 Jan 2025, at 12:20, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> Pete Long <pete%valar.uk.net@localhost> writes:
> 
>> Thanks for the suggestion. Unfortunately I'm still unable to stop packets passing between the two interfaces:
>> 
>> group "wifi" on $wifi_if {
>> 
>> block in final from $localnet
>> block out final to $localnet
>> pass in all
>> pass out all
>> }
> 
> I think you might have in and out backwards.
> 
> The packets that you don't want will be like
> 
>  emitted by a device on the wifi interface
>  from address: wifi.x
>  to address internal.y
> 
> so you need to pick one of two strategies
> 
>  block this packet from being received on the wifi interface
>  block this packet from being transmitted on the internal interface
> 
> 
> I would suggest the first.  So that's (totally untested!!)
> 
>  within wifi group
>    block in final from any to internal 
> 
>  within internal group
>    block in final from any to wifi
>    (perhaps) block out final from wifi to any


Thanks very much Greg, the rules below are doing what I require now. I just need to keep the two networks apart but be able to access the Internet.

I think I did indeed have 'in' and 'out' mixed up.

On my phone connected to the wifi network, I cannot ping or access any services on the internal (wired) network but I can ping out to the Internet. The opposite applies as well.


group "wifi" on $wifi_if {

block in final from any to $localnet apply "log"
pass in all
pass out all


}


group "internal" on $int_if {
block in final from any to $wifinet apply "log"
pass in all
pass out all
}



group default {

pass final on lo0 all
block all

}


Awesome, thanks very much for your time.


Pete.