I have been working with the firewall/router distribution Pfsense for a while now and I have been trying to figure out how to "isolate" a server on my LAN from other computers on my LAN by using deny/reject LAN rules. I have tried adding a rule under Firewall->rules->LAN that denies a device (my phone for example 192.168.1.102) from sending any TCP packets to my web server at 192.168.1.105. For some reason, the packets manage to get though. The odd part is that if I specify the router itself as the destination, and to block the phone/computer from talking with it, it works. I have tested this with a wireless laptop and wireless phone, both on the same subnet.
My topology is as follows:
(internet)->(modem)->(pfsense)->(wireless router /w switch)->(wired devices)
|
(Wireless laptop/phone)
| == wifi
-> == wire
Is it possible the wireless router/switch is just relaying the packets from my phone to the server and completely bypassing the firewall (explaining why my rule isn't working)? If so, how could I set it up so that all LAN traffic has to go though my firewall to talk to any other computer on the network?
Image of the web interface available here as 3 rep won't let me post an image :( image
If two hosts are on the same subnet, the traffic has no reason to go through the router. Your rules are never being applied. The two devices are connected to a switch (or some other Layer 2 networking hardware). Host A says "I want this traffic to go to Host B's IP" and your switch says "Ok, done."
UPDATE: If VLANs are an option, put each host in a separate VLAN. This way, you can enforce routing rules between them and achieve the logical separation you want.
Perhaps plugging the wired devices (I presume the server sits here) into the pfsense device would allow you to create layer 3 segmentation. Alternatively, if you're running some high end Cisco device, you could setup private vlans.