Block or isolated device in same network

[monkeydelufy]

hi guys,

newbie here trying to figure it out regarding is that possible if we block in same network for example,
ip 192.168.1.10 cannot reach ip 192.168.1.11 i try to isolated each other is that possible?

Thanks

[passeri]

No, not within a single subnet, where devices communicate without the router noticing.

[pfry]

To expand on that, you would need to force traffic between devices through the firewall. For instance, I use my firewall as the central aggregation point for all of my equipment. I do this for visibility and control. You may have other priorities.

[Patrick M. Hausen]

Some managed switches can filter between devices in a single broadcast domain depending on layer 3 and 4 information.

[monkeydelufy]

so there is no solution for this..? all my device connected through opnsese also get ip from opnsese still no clue for this..?

[Patrick M. Hausen]

There is no solution for this. All devices connected to a single network can communicate with each other.

To be able to control traffic between two or more devices with a firewall they must be connected to different interfaces of that firewall so the traffic passes through the firewall.

This is how networks work.

As I wrote there are switches that can perform firewall functions across all of their ports. Get one of those.

[bimbar]

Or you can check out things like private VLANs or port isolation.

But the IP standard assumes that devices in the same subnet can communicate with each other via layer 2.

[Patrick M. Hausen]

Or you can check out things like private VLANs or port isolation.

Which again needs a more than "dumb" switch supporting these features. But valid point, of course.

BTW: @monkeydelufy if it's wireless devices you are thinking of many APs support something called "client isolation". So possibly you would not even need a new device.

[monkeydelufy]

Or you can check out things like private VLANs or port isolation.

Which again needs a more than "dumb" switch supporting these features. But valid point, of course.

BTW: @monkeydelufy if it's wireless devices you are thinking of many APs support something called "client isolation". So possibly you would not even need a new device.

my network right now like this:
2 ether,
1 WAN port
1 LAN port, all device directly connected to ehter2 LAN and this LAN to not connected to switch it connect directly to server which is containing virtualization
my goal just to isolated each VM for protection. huft..

[Patrick M. Hausen]

Then create one VLAN per VM ...

[monkeydelufy]

Then create one VLAN per VM ...

create vlan without switch..? still confusing to me need advice

[Patrick M. Hausen]

Create VLAN on OPNsense and on the connected host. No switch needed. Now how to do that on the host depends on the product you are using.

[monkeydelufy]

Create VLAN on OPNsense and on the connected host. No switch needed. Now how to do that on the host depends on the product you are using.

ohh i see so i create each vlan for each vm its make sense but more difficult if have a lot vm.
but still not secure enough.

[Patrick M. Hausen]

but still not secure enough.

Why? VLANs are completely isolated from each other and you can control what is permitted and what isn't with as much granularity as you like. It does not get "more secure" than one network segment per VM.

P.S. You could also use your hypervisor's firewall, probably.

[monkeydelufy]

i will try using vlan then.
btw thanks guys for feedback and advice