Block LAN Client-to-Client Traffic

TL;DR

This guide shows you how to stop computers on your local network (LAN) from talking directly to each other, forcing all traffic through a central router or firewall. This improves security and allows for better monitoring.

Steps

1. Understand the Problem: By default, most home networks allow devices to communicate directly with each other. While convenient, this can be a security risk (e.g., malware spreading easily) and makes it harder to control network access. We want to prevent this direct communication.
   • Direct Communication: Computer A talks directly to Computer B without going through the router.
   • Desired State: Computer A must talk to Computer B via the router.
2. Access Your Router’s Configuration Page: This varies depending on your router brand.
   • Common Addresses: Try http://192.168.1.1, http://192.168.0.1 or http://routerlogin.net in your web browser.
   • Login: You’ll need the router’s username and password (often found on a sticker on the router itself). If you’ve changed it, use that one.
3. Find the Firewall Settings: Look for sections labelled “Firewall”, “Security”, or “Advanced Security”. The exact location varies.
4. Enable SPI (Stateful Packet Inspection): If it’s not already on, turn this feature ON. This is a basic security measure that helps protect your network.
5. Block Inter-VLAN Communication (if applicable): Some routers allow you to create separate networks (VLANs). If you use VLANs, make sure communication between them is blocked in the firewall settings.
6. Implement Client Isolation/AP Isolation: Many modern routers have a feature called “Client Isolation” or “AP Isolation”. This prevents devices connected to the same Wi-Fi network from seeing each other. Enable this if available.
   • This is often found in the Wireless settings of your router.
7. Create Firewall Rules (Advanced – use with caution): If Client Isolation isn’t enough, you can create specific firewall rules to block client-to-client traffic.
   • This is more complex and requires understanding of IP addresses and network ranges.
   • Example Rule: Block all traffic from any device on the LAN (e.g., 192.168.1.0/24) to any other device on the LAN.

     # Example using iptables (Linux-based routers - advanced users only)
     iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -j DROP

8. Test the Block: After making changes, test to confirm that computers can no longer communicate directly.
   • Ping Test: From Computer A, try to ping Computer B’s IP address. It should fail.

     ping 192.168.1.10

   • File Sharing Test: Try to access a shared folder on another computer. It should not be accessible.
9. Verify Internet Access: Ensure that blocking client-to-client traffic hasn’t broken internet connectivity for any devices.