mjhjmtu

I've a pfsense firewall with a managed switch, and i created a VLAN: all works fine, but what i want to do is to block the communication between the hosts in my VLAN.
For example, i want that an host can't able to ping another host and an nmap scan show only the localhost and the virtual gateway.
How can i do that?
I try in this way (the first rule), but doesn't works.

As has already been stated, communication between devices on the same VLAN (or layer-2 segment) does not cross a router but only the switch(es) in between the devices.

Depending on the switches' capabilities, there are several methods to control traffic within a VLAN.

1. VLAN-based ACLs: packets are filtered when entering a certain VLAN from a port or by layer-3 switching


2. port-based ACLs: packets are filtered when they are received on a certain port


3. port-based filtering: packet flows are limited to certain ingress/egress port combinations

ACLs work by permiting or denying certain source/destination IPs, or TCP or UDP ports. E.g. you can permit all devices within the 10.1.2.0/24 to communicate with a server at 10.1.2.10 while denying all other inter-VLAN traffic:

1000 permit ip 10.1.2.0/24 10.1.2.10/32
1010 permit ip 10.1.2.10/32 10.1.2.0/24
1010 deny ip 10.1.2.0/24 10.1.2.0/24
9999 permit ip any any

Port-based filtering works by limiting the client ports to communication with the server and router ports and filtering all else. This is sometimes also called protected ports or source-port filtering where these ports are not allowed to communicate with each other. Port-based filtering doesn't work well across up and downlinks as they cannot distinguish between wanted server and unwanted peer traffic across multiple switches.

Aside from what Ron Maupin said (Private VLANs), another (sometimes better) option is to apply what is called a VACL (VLAN ACL). A VACL is different from a RACL (a router ACL), in that a RACL filters layer-3 traffic while a VACL filters layer-2 traffic, allowing you to filter traffic between hosts on the same VLAN.

Here is an example of how to use a VACL. This document is for a Cisco 6500 switch but you can adapt it to pretty much any other model.

Here is a similar document for Cisco 3850 switches if it makes it closer to what you have.

As far as your current network design goes - you can't do this with your existing pfsense box.

To do this with your current environment, you have to add something between your two clients, either by segmenting them into different VLANS, or adding some kind of extra security device.

Your network design needs to group things together that are logically the same.

For example, all accounting PCs could be in one VLAN along with their local server, and dev PCs are in another VLAN, and dirty untrusted devices in a third.

Phones are often in their own network too, as are management interfaces of switches, and security cameras.

Each VLAN has its own firewall rules in pfsense, showing where traffic may go.

There are probably nuances of your network that we don't know, so consider a whole rethink.

Short answer is to put one or other device on its own vlan and route between vlans using your pfsense box or a layer3 core switch if you have one.

Another possible option is to use subnetting.

Client A could be in the lower half of a /24 block, and client B could be in the upper half. If each host is configured to use /25 (or 255.255.255.128) as their netmask, AND the default gateway is configured with a /24 then each client will talk to the other via the gateway. Whether your pfsense box runs this through the interface's firewall rule or not, that needs testing.