Hi Christian, I've made two VLANs to automatically assign random IPs from a pool by dhcpd:
# /etc/hostname.vlan100 description 'LAN attached untrusted hosts' inet 192.168.155.0/24 255.255.255.0 vlandev em0 # /etc/hostname.vlan101 description 'WLAN attached untrusted hosts' inet 192.168.156.0/24 255.255.255.0 vlandev run0 Going to filter access from these VLANs by PF. My 'real' LAN and WLAN _trusted_ devices get IPs from preregistered MACs in /etc/dchpd.conf. No free IP registration is available for _trusted_ devices. For _untrusted_ devices I'd like to set IPs by dhcpd from address pools vlan100 192.168.155.2 192.168.155.200, and vlan101 192.168.156.2 192.168.156.200 # echo 'dhcpd_flags="em0 run0 vlan100 vlan101' >> rcctl.conf.local # . rc.conf.local Added address ranges for vlan100 and vlan101 to /etc/dhcpd.conf and restarted daemon. DHCPd tries to assign address for _untrusted_ from real subnet with no free leases available instead from vlan100 or vlan101 pool provided. How do you set IPs for your trusted/untrusted devices using dhcpd? Could you share your dhcpd.conf setup for vlans you're using? Thanks, Denis On 2/4/2020 8:03 PM, Christian Weisgerber wrote: > On 2020-02-03, Denis <den...@mindall.org> wrote: > >> Some hosts should be limited in internet access and/or local access or >> simply be restricted in some way because they are untrusted. >> >> I'm looking for a possibility to isolate untrusted inside LAN using any >> approach applicable. How do people isolate undesirable hosts in their >> networks? > > Put hosts with different trust requirements into different networks > at the IP level, connected to a central gateway where you can easily > permit/deny traffic between them. Use VLANs to separate the IP > networks. > > For example, my home network is split into three networks: > > * Trusted hosts. These are allowed to initiate traffic to the > Internet and to the other networks. > > * Untrusted hosts with outside access. These are allowed to initiate > traffic to the Internet at large, but not to the other networks. > This is mostly my wi-fi. Also a RIPE Atlas probe. > > * Untrusted hosts without outside access. These cannot initiate > traffic to any destination outside their network. Includes my > printer and the SIP phone[1] for my "landline". > > That's three vlan(4) interfaces on my gateway, which provides basic > DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4) > ruleset to enforce the restrictions above about who can start talking > to whom. > > > [1] A SIP phone that is not allowed to talk to the outside may seem > surprising, but it only needs to talk to siproxd on the gateway, > and siproxd is required for NAT traversal anyway. >