I already segmented “Guest” and “IOT” traffic each to their own separate subnets and vlans.
“Guest” and “IOT” are locked down to “Internet Only” access… these two subnets are blocked from communicating with other subnets: each other subnet and blocked from other more critical network like the “Production” network.
Does pFsense have any feature to prevent guest network clients from communicating with other guest network clients and (likewise) prevent IOT network clients from communicating with other IOT network clients?
Does any one online of any open source firewall solution that has this feature?
Being able to restrict a device’s ability to communicate with other devices on the same subnet IS NOT done by the gateway / firewall but by the switch connecting those devices because devices on the same subnet DO NOT route through the pfsense firewall.
It’s counterintuitive but /32 masks do work for effectively creating client isolation, a.k.a. microsegmentation on wired LANs. With very few exceptions, a /32 mask still allows a device/host to communicate with its default GW, and only it’s default GW.
My reaction was the same as yours and @Paul until I saw it working during a demo of Airgap Networks (airgap.io) recently acquired by Zscaler.
With a /32 mask devices/hosts only accept external traffic from the default GW, and all outbound is sent to the default GW. The only way they can talk to each other on what we would normally think of as “the same subnet” is via the GW, rather than across a switch.
IMO this would be a fantastic feature to add to pfsense for specific use cases. An obvious caveat is load/performance considerations of the HW used.