I've a pfsense firewall with a managed switch, and i created a VLAN: all works fine, but what i want to do is to block the communication between the hosts in my VLAN.
For example, i want that an host can't able to ping another host and an nmap scan show only the localhost and the virtual gateway.
How can i do that?
I try in this way (the first rule), but doesn't works.
VLAN pfSense – Block Communication Between Hosts in the Same VLAN
pfsensevlan
Related Solutions
I found my answer in the pfSense The Definitive Guide Version 2.1.
Small WAN IP subnet with larger LAN IP subnet
Some ISPs will give you a small IP subnet as the "WAN side" assignment, and route a larger "inside" subnet to your end of the WAN subnet. Commonly this is a /30 on the WAN side, and a /29 or larger for use inside the firewall. The provider's router is assigned one end of the /30, typically the lowest IP, and your firewall is assigned the higher IP. The provider then routes the LAN subnet to your WAN IP. You can use those additional IPs on a routed interface with public IPs directly assigned to hosts, or with NAT using Other VIPs, or a combination of the two. Since the IPs are routed to you, ARP is not needed, and you don't need any VIP entries for use with 1:1 NAT. Because pfSense is the gateway on the OPT1 segment, routing from OPT1 hosts to LAN is much easier than in the bridged scenario required when using a single public IP block. Figure 10.25, “Multiple public IPs in use — two IP blocks” shows an example that combines a routed IP block and NAT. Routing public IPs is covered in the section called “Routing Public IPs”, and NAT in Chapter 11, Network Address Translation.
So I made a spare interface OPT1 and assigned it one of the public IP addresses. Hung a small five port switch off OPT1 and plugged in my servers to it. The servers were then assigned a public IP address with the gateway set as the IP of OPT1. With this, I had to sacrifice one of my public IPs but I was able to directly assign a public IPs to servers on OPT1. At the same time, I was able to continue to use the rest of the spare public IPs as I did before with 1:1 NATs through to servers sat on the private LAN.
The rest of the setup was just setting up firewall rules to allow OPT1 <--> WAN.
UPDATE: Another step that is needed, is that any automatic outbound NAT rules need to be deleted for your public IP block. If they are not deleted the outbound NAT rules will make the public IP's go out as your WAN public IP rather than their own IP.
As noted in the manual here: https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html
If you add a distributed portgroup with VLAN 4095, that port group will keep 802.1Q frame tags set by pfSense virtual machine.
This configuration is known in vSphere parlance as VGT or Virtual Guest Tagging, see KB 1003806 and KB 1004252.
Best Answer
As has already been stated, communication between devices on the same VLAN (or layer-2 segment) does not cross a router but only the switch(es) in between the devices.
Depending on the switches' capabilities, there are several methods to control traffic within a VLAN.
ACLs work by permiting or denying certain source/destination IPs, or TCP or UDP ports. E.g. you can permit all devices within the 10.1.2.0/24 to communicate with a server at 10.1.2.10 while denying all other inter-VLAN traffic:
Port-based filtering works by limiting the client ports to communication with the server and router ports and filtering all else. This is sometimes also called protected ports or source-port filtering where these ports are not allowed to communicate with each other. Port-based filtering doesn't work well across up and downlinks as they cannot distinguish between wanted server and unwanted peer traffic across multiple switches.