Is there a way to configure a VLAN on a switch so that it only forwards frames to the gateway? Like in a Guest Wifi network where none of the clients can communicate with each other, but they’re all technically on the same subnet and have Internet access (only wired). I want to set up a DMZ this way without making a VLAN for each server…
I’m using Ubiquiti EdgeSwitches.
Edit
I was having trouble finding good Google search terms for this, but I think I’m onto something here. Need to brush up on switching ACLs.
You can’t, because that traffic never makes it to the router, it’s handled at the switch level. You would need to put each one on a separate VLAN so its traffic is routed. Or I guess you could put each host on a separate interface so it’s forced to route that way, but VLANs are easier.
I ran into this same problem myself when I had the bright idea to just use iptables to selectively allow then deny all LAN traffic in my home, saving myself the trouble of setting up VLANs to do it. Es no bueno, sadly.
Sure, if you have a fancy enterprise switch. I’m not a CCIE but my understanding is that hardware can do anything. It would need to be done at the switch level, though, for sure-- and cheap SOHO managed switches don’t typically expose that functionality.
Looks like “Protected Ports” might get me somewhere.
Page 160
Configuring Protected Ports
Use this page to configure and view protected ports groups. A port that is a member of a protected ports
group is a protected port. A port that is not a member of any protected ports group is an unprotected port.
Each port can be a member of only one protected ports group. Ports in the same protected ports group
cannot forward traffic to other protected ports within the group, even if they are members of the same
VLAN. However, a port in a protected ports group can forward traffic to ports that are in a different protected
ports group. A protected port can also forward traffic to unprotected ports. Unprotected ports can forward
traffic to both protected and unprotected ports.
Yep, protected ports do as you described, however routing and DHCP becomes strange. You could give out /32 addresses to hosts, and pass an additional route for each host to be able to talk to the gateway over that interface (option 121). You’d need to take care of reverse path filtering and forwarding. You can also try setting your gateway address as the broadcast address served via DHCP (different OS-es deal with this differently).
You may also want to look into Ubiquiti’s implementation of private VLANs. Private VLANs should completely isolate each clients traffic as you described.
