Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent 1 computer on the network from communicating with the rest of the LAN?

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elementalwindx
      last edited by

      What is the best way to achieve this?

      I have 1 computer on the LAN I want nobody else to be able to communicate with.

      I've created a rule in the firewall on the LAN such as this: IPv4 * 192.168.99.3 * * * * none

      and I even went in and reset the states but that doesn't seem to stop it from being able to browse smb shares on the network. It does stop it from going to websites though.

      The only thing this machine needs is access so that people internally and externally can RDP into it and that is it.

      Edit

      I imagine since it's inside the LAN itself, the firewall isn't able to block communication say between 192.168.99.3 and 192.168.99.10? If thats true then what would be a good idea? I guess VLANing that port? :/

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That has to be handled in your switch, as you surmise. Your router isn't involved in same-subnet traffic.

        Else yes you need to put the host you ant to restrict on another interface/subnet and pass only what you want it to have access to.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yup if you need to isolate client A from client B you need to put them on different vlans/network segments and then pfsense can firewall/route that traffic for you.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Or get a switch with port isolation (even the cheap TP-Link gig switches have it). Then they can only talk to the gateway and never to each other (on ports where you have that set).

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.