Block internal communication even though they are on same LAN

devashish · September 17, 2025, 6:10am

Dear Team

I am using Vyos 1.4.3 version and i configured eth2 as my LAN where 2 servers are connected . i want to stop the whole communication between them even though they are on same LAN and using the same private subnet . means i want suppose 5 servers inside LAN and i want 2 server cannot communicate with each other but other 3 can reach them and the first 2 can reach other 3 servers . Below are my config i tried a lot but still both are pingable

My first 2 servers IPs are 192.168.50.10 and 192.168.50.11.

eth0 172.17.21.100/16 4e:9b:6a:8f:ef:33 default 1500 u/u BLUE Management Network
eth1 115.186.136.240/24 3a:2d:78:9f:f7:98 default 1500 u/u RED Public Network
eth2 192.168.50.1/24 32:7b:30:50:d5:96 default 1500 u/u GREEN Lan Network
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128

i tried below config but its not working anymore.

set firewall zone LAN interface ‘eth2’

set firewall ipv4 name LAN-to-LAN default-action ‘accept’
set firewall ipv4 name LAN-to-LAN rule 12 action ‘drop’
set firewall ipv4 name LAN-to-LAN rule 12 destination address ‘192.168.50.10/24’
set firewall ipv4 name LAN-to-LAN rule 12 source address ‘192.168.50.11/24’

set firewall zone LAN from LAN firewall name ‘LAN-to-LAN’

Please help me to resolve this concern

L0crian · September 17, 2025, 7:46am

If the devices are connected to a switch, and then from the switch to VyOS, you won’t be able to block traffic at layer 2. Traffic would never reach VyOS because traffic would never leave the switch for your host-to-host communications. You’d need to put the servers on their own subnets using VLANs, and then use VyOS to route between the subnets.

If you want to block at layer2, all of the servers would need to be connected directly to VyOS where you would create a bridge. Then you can use the firewall bridge section to block that traffic.

devashish · September 19, 2025, 5:58am

I created my vyos on xcpng physical machine .the vyos virtual LAN interface connected to my distribution switch and from that switch my machines are connected .

for all machines my vyos firewall LAN interface IP is gateway address .

Now let me know how i block this on the above given scenario

if its possible via bridge how my LAN will work

Apachez · September 19, 2025, 6:35am

You could use something like proxyarp to “force” traffic to your router and there apply ACL.

However proxyarp is easily bypassed by the host so I wouldnt count on that method.

The way to block 2 hosts from talkng to each other on the same LAN is to:

In the L2-switch enable private vlan where you define which interfaces are allowed to talk to each other or not.
A subset of above is protected vlan which have a simplier config but the result is the same. For example int1-24 (downlink) are only allowed to talk to int25-26 (uplink). This way host at int1 cannot send ethernet frames to host at int2.
Private/Protected VLAN can also be used in combo with setting ACL’s on each interface if the switch supports for this. However this is often not necessary if you already use private/protected vlan.

pclerie · September 23, 2025, 11:04pm

If I am reading this correctly, perhaps you could use something like ufw on the servers in question.

on 192.168.50.10
ufw deny from 192.168.50.11
ufw allow from 192.168.50.0/24

And something similar on the .11 server.

Note that I may not have the correct syntax. Just thinking ‘aloud’.

jrtmendoza · October 7, 2025, 1:07am

I would recommend putting those 3 servers on a different VLAN and subnet, so you can have VyOS route and enforce filter traffic between the VLANs. This is the more elegant approach given that you’re describing distinct traffic filtering policies between the subset of servers.

system · November 6, 2025, 1:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.