Block access from green host to other green host

Hey there guys,

is it possible to prevent users within the green network from accessing a specific device which is also in the green network?

IPFire gives me a note that this rule will not work (and it really doesn’t) but why? It should be possible to block traffic between two IPs even if they are in the same subnet.



Any traffic between two hosts on the same subnet does not go via IPFire. It goes directly from the first host to the second host.


Hmm… ok, that sort of makes sense. :smiley:

So, there is no possibility, not even on Layer 2 to prevent communication between two hosts on the green network? I mean, in the blue network there is client isolation (for all hosts), maybe this is achievable for single hosts on the green network, too?

Short answer: yes, you need to enforce your policy at the switch level.

Long answer follows.

Isolating hosts within the BLUE network in IPFire (or any similar network segment designated for wireless or less trusted devices) is possible because the capabilities of the wireless access point or the wireless controller managing the network.

Many wireless access points have a feature known as “client isolation,” “AP isolation,” or “station isolation.” This feature prevents wireless clients (devices connected to the WAP) from communicating directly with each other over the wireless network. Instead, all traffic must go through the access point, which can then enforce policies to restrict direct client-to-client communication. Since all wireless clients communicate through the access point, it’s easier to enforce isolation at this central point.

To achieve the isolation of hosts within the same network segment of a wired subnet, you would typically use features available at the switch level. In other words, you would need a managed switch that supports special features, some of which are listed below.

Some managed switches support Private VLANs, a feature that allows you to isolate devices within the same VLAN. In a PVLAN setup, devices can be configured in such a way that they can communicate with a designated uplink (like a router or firewall) but not with each other. This is commonly used in environments like hotels or apartment buildings to prevent guests from accessing each other’s devices.

Some advanced switches offer ACL capabilities, allowing you to define rules that govern the traffic between different ports on the switch. By setting up ACLs, you can specify that certain devices (or ports) are not allowed to communicate with each other.

Similar to PVLANs, port isolation (or private VLAN edge) is a feature on some switches that isolates traffic between ports within the same VLAN. Each port in an isolated VLAN can only communicate with uplink ports.

Finally, If you have a Layer 3 switch (a switch with routing capabilities), you can segment your network into different subnets and then use ACLs or routing rules to control traffic between these subnets.


Hey cfusco,

thanks for the clearification regarding the blue network and the “routing” through the AP… never thought of it that way but of course, your right. Something learnt! :nerd_face:

The things about vlans is obviously right but of course it requires some more specific hardware, e.g. switches that support trunking and client devices that may support tagged vlans (if more than one is needed).

Anyway, question to myself was, if it would be possible within the IPFire-environment and the last thing that came to my mind was squid. If I “force” a client to use the proxy-server even in the same subnet, maybe it would work this way? But then again, probably not because it’s still the same subnet…

It would be really nice to have an option for this. In my case there are different network printers (sadly the critical one has no IP-blocking-option) and I want some users in the network to not use it.

Greetings and thanks to both of you!