How to isolate client from each other (Not Wireless)?

I have two VLANs eth1.100 and eth1.200. Now I have configured eth1.100 to access the Internet (WAN), and eth1.200 to access eth1.100.

How to isolate all hosts/client under eth1.100 from being able to access each other? Similar to the effect of AP isolation. I found that "config isolate = '1' '' does not take effect in the interface configuration.

I have configured something like src = (network segment of eth1.100) forward des = drop in the firewall, but it does not take effect.

eth1.100 has a static IP segment.


Generally speaking, this is not possible, although there is one thing you can look into called the bridge firewall, or you can use an external managed switch that has port isolation.

In general, traffic on the same subnet does not ever hit the firewall since it is switched (L2), not routed (L3)... the firewall operates at L3.

In order for a bridge firewall or managed switch to be able to isolate clients, it would necessarily require that the device doing the isolation is directly between the clients to be isolated. If there is another switch involved, it will not be possible to isolate those clients (connected to the switch) from each other.

I've never actually tried bridge firewall functions, and I'm not sure if it applies to devices with swconfig (vs DSA)... but it is worth a shot if the physical topology of your network is such that the router is indeed in between the hosts you wish to isolate.

I see, indeed this should be configured on the switch. Actually I am using the vSwitch of ESXI, have you ever used it? I installed VCSA, and I still haven't found a setting that can isolate devices within a port group, but there seems to be somebody says that vcsa can configure the vSwitch firewall in network security, something like NSG, NSX-T.

Nope, no experience. This is potentially drifting out of scope for the OpenWrt forums, so you may need to ask on ESXI user forums.