Isolate clients on same subnet?
Given n (e.g. 200) clients in a /24 subnet and the following network structure:
client 1 \
. \
. switch -- firewall
. /
client n /
(in words: all clients connected to one switch and the switch connected to the firewall)
Now by default, e.g. client 1 and client n can communicate directly using the switch, without any packets ever arriving the firewall. Therefore none of those packets could be filtered. However I would like to filter the packets between the clients, therefore I want to disallow any direct communication between the clients.
I know this is possible using vlans, but then – according to my understanding – I would have to put all clients in their own network. However I don’t even have that much IP addresses: I have about 200 clients, only a /24 subnet and all clients shall have public ip addresses, therefore I can’t just create a private network for each of them (well, maybe using some NAT, but I’d like to avoid that).
So, is there any way to tell the switch: Forward all packets to the firewall, don’t allow direct communication between clients? Thanks for any hint!
You can separate clients within a VLANM if your switch supports PVLAN (private VLAN) which can be configured to allow any host to talk to the firewall while being unable to communicate with any other device. You can additionally configure your PVLAN to also allow communication amongst limited groups of servers.
What sort of switch are you using?
Check more discussion of this question.
