I have my home network partitioned into multiple subnets for normal security reasons. For simplicity, let's say there's a WAN, LAN, DMZ (where my servers live), and one more network for IoT devices. The LAN network can make connections into both the DMZ and IoT networks, but the DMZ and IoT networks can only make connections to the WAN, but not the LAN or each other. Firewall rules on the pfSense box sitting between those networks enforce this correctly.
I run Avahi on my on the pfSense box so that I can discover devices on the DMZ and IoT networks from the LAN network. This works, but it also means that devices on all networks are visible to devices on the DMZ and IoT networks. Granted, they can't connect to them, but I'd rather they not be visible at all.
Is there some way I can modify the Avahi config and/or firewall rules such that Avahi will be aware of devices on those insulated networks but not broadcast anything out to them?