Isolating a single host within a zone


I have a host in the default lan zone which I would like to isolate from the other hosts in the same zone. Basically the other hosts should not be able to communicate with this particular host at all.

How could I achieve this?

Thanks in advance!

That is not easily doable as traffic is typically switched, so you cannot intercept it using iptables alone.

You'd need to move the isolated host to a dedicated ethernet port / vlan in order to force it into a separate subnet.

1 Like

I think it's possible to "isolate" a host to some degree by moving it to another subnet. This means the host can't communicate directly with other devices in the LAN using unicast and needs to send the traffic through the router. But the host will still be able to use broadcast to and multicast. Which means it will be able to use Multicast DNS to look up a service, but won't be able to use unicast to connect to the service.

This other subnet should be configure as an IP alias, and have "Dynamic DHCP" disabled which means it will only respond to requests made by MAC addresses which have a static lease. (LAN-to-LAN forwarding needs to be disabled for the mentioned subnet.)

Of course it's very easy to circumvent the firewall on a machine connected to the LAN by configuring it with an IP address in the same subnet as the "isolated" host(s). For real isolation you need another solution.