Isolating some client by IPs



  • Buongiorno a tutti,
    I have just build my first pfSense box and it's works very well. Now I'm trying to play with the network configuration…

    In my house I have assigned the DHCP reservation for 20 device (TV, Laptop, server, raspberry, ecc...) with IPs before x.y.z.128 and this device can be connected by ETH or WiFi. The DHCP server can assigne the address only from x.y.z.128-x.y.z.160.
    What I want to achieve is that my client reserved can see each other and accessing everywhere, but the client in the DHCP range (that are "guest") can't accessing to the machine out from the DHCP range.

    I have no preference to solve this problem ;)

    P.S. I don't want to use the GUEST WiFi network option, only one SSID
    P.P.S I'm a software engineer and in my home I have a managed switch that supports VLAN


  • LAYER 8 Global Moderator

    pfsense can not isolate devices that are on the same network/vlan - pfsense doesn't have anything to do with devices on the same network/vlan from talking to each other.  If you want to isolate then you need to put your devices that you don't want talking to each other on different vlans.



  • @johnpoz:

    pfsense can not isolate devices that are on the same network/vlan - pfsense doesn't have anything to do with devices on the same network/vlan from talking to each other.  If you want to isolate then you need to put your devices that you don't want talking to each other on different vlans.

    As I can imagine I will need to use VLANs… Or I will use the GUEST option of the wifi AP.

    But when I have different VLAN I can set which IP can access to the other VLAN? I think yes... In this case I will put all the ETH device in a VLAN1, the WAP in another one (VLAN2) and set that the chosen address of the VLAN2 can access to the VLAN1. Good?


  • LAYER 8 Global Moderator

    No you wouldn't want to use the guest option of your AP.  Is it a real AP or some wifi router your using as AP?

    But sure you can let specific IPs from one vlan talk to the specific IPs in the other vlan or any device.  The level of access between the vlans is up to you and how you create your firewall rules.



  • You could try out to set up all in VLANs and then you may configure it out with switch ACLs if a managed switch will be there in use.


Log in to reply