Problems with locking other networks / Ips

Hi, my neighbor wants to use my DSL. Because he has his own router, I pulled a cable to him and connected the WAN from his router to my green network. It works wonderfully. His router assigns the IPs in his network and gets the internet connection from my green network.

My green network:
His network from the router:

The problem: His computers on his network (different subnetwork that the router assigns) have access to my devices in the green network.

Now I thought I would set up a rule:
Source address:
Destination (firewall: GREEN)

Unfortunately, it doesn’t work as expected. Does somebody has any idea?
I want to lock his subnet out of my greenery and ONLY allow him to use red.

I also tried source = WAN MAC address from his router.

Thanks for Help :slight_smile:

Hey, does IPFire the DSL-Login or is there something in front of IPFire? If so option 1: plug your neighbor direct to that device or use a switch to bring RED of IPFire, that device and the net of your neibor together. That would be a kind of DMZ.
Option 2: bring up another NIC in IPFire and configure it to eg. ORANGE (other zone than GREEN) and plug him to that interface.
Maybe there are more options and others will have different ideas.
– simulacron

Thank you for your idea!

Unfortunately it is not possible. Based on hardware. There is only one cable from the IPFire to the switch where my neighbor is connected to. This is technically not possible because the cable is laid over many meters as an underground cable. In addition, Orange is already set up and there are several devices in the network.

So the solution would only involve major construction work.

It must be possible to isolate the network ?!

Yeah, you could also start to operate with VLANs. But that also requires additional hardware.
I don’t think that it’s a good approach to rely only on IP-based firewall rules since you can’t control the IP setup of your neighbor. So you need something port-based in terms of a network interface, either in hardware or as virtual device (eg. VLAN).

Yes, I am aware that the IP lock is not really secure. But unfortunately I have to work with it.

Most of the time it is possible to ban the traffic of the MAC address on green? I mean the MAC address from the router.

How will you ensure, that the suspected traffic passes the router/firewall? IP, MAC, whatever. If you plug something to GREEN then you simply can not control this with the firewall respective the traffic among each other. The router of your neighbor and any device behind that can connect direct to any device in your GREEN subnet. No rule in the firewall would ever see this traffic. It is probably the common mistake with you, that a firewall can filter within a network segment simply by making it a part of this network segment - but that’s totally wrong. Devices within the same network segment are communicating direct.

What’s left? Maybe you could work around this by defining a divergent netmask other then and force the traffic to be routed through IPFire this way although both are on the GREEN Zone. E.g. netmask which would separate your GREEN subnet into two parts, to .126 (yours) and to .254 (neighbors). At this point I wouldn’t know if this scenario is possible with IPFire and how rules, routing, dns, dhcp aso. are setup in this case.

But again, who garantees that the IP-Configuration of the neighbor-device stays as needed?