Help needed with network design (Client isolation on same subnet)

I hope this can be clarifying for others new to networking too.

I’ve been trying to isolate a single device from communicating with other devices on my network while still reaching the internet. While trying to do this I’ve realized I likely have been very mistaken about how my firewall works, I.e., that it won’t do anything to block traffic between clients on the same subnet.

My design had been to set my DHCP server to assign addresses between xx.xx.xx.100 to xx.xx.xx.200.
I then created an alias that contained all these addresses and called it “Unapproved_Clients”. And finally a firewall rule that blocked “Unapproved_Clients” from reaching anything. I then manually added a static mapping for each device I wanted to approve with an address bellow xx.xx.xx.100.

However, I realize now that these rules did nothing to prevent an unapproved client that somehow would have gotten access to my wifi from communicating with the other devices on the subnet. I had mistakenly assumed that the firewall rule allowed me to block access to the subnet itself, when in fact, it was only blocking access to the internet and the rest of my network. My firewall has no power to control what happens between devices on the same subnet since that traffic never hits the firewall in the first place. So that a potential intruder on my wifi network could gain access to the other devices on the same wifi. Have I got this right ?

For information, I have an access point with 4 SSIDs each on their own VLAN which are in turn set up as individual interfaces in pfSense, so each of these VLANs can have their own firewall rules. All but one of these 4 VLANS have internet traffic routed through a Mullvad tunnel.

I have the typical wifi VLANS:

• Trusted devices
• IOT devices
• Guest network
• No VPN internet access

I was hoping I would be able to granularly specify what clients can talk to what clients on the same subnet via the firewall. But basically this granularity is only possible once traffic reaches the firewall(Right?) I know I can do it for the whole subnet SSID via the access point, but there it’s a binary option (all or nothing).

I lingering question I had is why the ping is not sent to the firewall when two devices on the same subnet try to communicate but client isolation is turn on at the AP level ? Why not :

Device 1 → AP → Firewall → AP → device 2

And let the firewall dictate if they are allowed to talk to each other ?

As you have found out, network traffic between devices on the same network does not hit the firewall.

Devices will use arp and communicate directly to the device.

Sounds like you might want to play with freeRADIUS. This will allow you to have 1 SSID and as many VLANS as you want, which will allow you to have the isolation you are looking for. Among other benefits.

It’s been a few years since I played with this, but I had this running for a couple hundred users. Worked like a charm.

Keep in mind, having too many SSID’s will impair performance. Or at least, that was the case a few years ago, not sure about the new fancy WIFI standards. I would trim your SSID count down to two. IOT & Guest can go on the same, and not sure why VPN can’t be filtered at the router. I have found two is a good number for SSIDs.

Interesting! Will look into it. Thanks!