<![CDATA[Client isolation?]]>not 100% related to pfsense but i'm sure somebody on here will know.
my friend has a 50 bedroom hotel and wants to provided wired access to each room so client isolation comes into the equation.
easy with wireless but wired? first thought is to put every room on a seperate vlan but 50 vlans (1 per room?)
anybody come across this before? we are looking at 3 x 24 port zyxel managed switches to a pfsense firewall.

regards,
louis

]]>https://forum.netgate.com/topic/20673/client-isolationRSS for NodeSun, 14 Jun 2026 22:32:57 GMTThu, 14 Jan 2010 08:30:01 GMT60<![CDATA[Reply to Client isolation? on Fri, 12 Mar 2010 00:52:46 GMT]]>johnjces:
Some access points have a feature you can enable to do that and pfSense also has a simple checkbox to do it when it acts as the access point (with a wireless network card supporting access point mode in FreeBSD).  Any further discussion of this should probably go in a different thread.

]]>https://forum.netgate.com/post/225873https://forum.netgate.com/post/225873Fri, 12 Mar 2010 00:52:46 GMT<![CDATA[Reply to Client isolation? on Thu, 11 Mar 2010 22:35:44 GMT]]>Quick question… as I am pretyt stupid when it comes to this, but...

so client isolation comes into the equation. easy with wireless

Can this be done with pfSense and wireless Access Points? If so, how? Or wherfe to search. I've Googled but really never found anything.

TIA!

John

]]>https://forum.netgate.com/post/225863https://forum.netgate.com/post/225863Thu, 11 Mar 2010 22:35:44 GMT<![CDATA[Reply to Client isolation? on Tue, 19 Jan 2010 01:24:27 GMT]]>It depends on if the switch has the capability to filter layer 3 traffic like that. I don't have experience with the Zyxel switches so I'm not sure if they are capable of that.

]]>https://forum.netgate.com/post/219966https://forum.netgate.com/post/219966Tue, 19 Jan 2010 01:24:27 GMT<![CDATA[Reply to Client isolation? on Fri, 15 Jan 2010 21:50:26 GMT]]>yeah i like the thought of that…...
a primary vlan with secondary vlans within that can only communicate with the primary vlan. just wondering if an ACL would work on the port eg only allow anything on the port to communicate with IP of gateway.

]]>https://forum.netgate.com/post/219682https://forum.netgate.com/post/219682Fri, 15 Jan 2010 21:50:26 GMT<![CDATA[Reply to Client isolation? on Thu, 14 Jan 2010 21:15:31 GMT]]>There is also a feature on cisco switches called private VLANs and public VLANs.
All of the members of the private VLAN (clients) can only communicate with the machines on a public VLAN (pfsense).
It might be worth looking to see if the zyxel switches support it to avoid creating many separate VLANs.

]]>https://forum.netgate.com/post/219573https://forum.netgate.com/post/219573Thu, 14 Jan 2010 21:15:31 GMT<![CDATA[Reply to Client isolation? on Thu, 14 Jan 2010 22:07:55 GMT]]>Yes i have done that before.
We used it for a LAN party, so that everyone that comes the first time and isn't registered yet is in it's own VLAN.
Additionally he's blocked from the internet by the captive portal, but all the "big" antivirus pages were on the passthrough IP list. (To update anti-virus definitions).
After registration and check by a staff if his antivirus is up to date and a full-scan-log his port/MAC gets moved to the public VLAN.

I dont think that you need anything from the pfSense for your scenario.
So just rules on the switch.

]]>https://forum.netgate.com/post/219480https://forum.netgate.com/post/219480Thu, 14 Jan 2010 22:07:55 GMT