Can I block peer-to-peer communication over WiFi?

Follow

LP

• April 08, 2025 04:32

Is there a way to completely isolate guests on a guest WiFi network without any visibility of other guests? I have “block all traffic to and from local networks” set on my guest WiFi, but if I do a network scan, I’m able to see and ping other devices. I want to be able to completely block all WiFi peer-to-peer communication including ping sweeps.

0

• 

  Firewalla

  • April 08, 2025 12:55
  • Edited

  You will need to use Firewalla AP7's to do that. This is a layer 2 problem, can't be solved with just a firewall (firewalla)

  See https://firewalla.com/products/firewalla-ap7

  This unit can do VqLAN, VLAN and Device isolation. 

  0

  Comment actions Permalink
• 

  LP

  • April 08, 2025 16:39

  Device isolation still doesn't block devices on my guest WiFi from being able to see each other.  They can still do a ping sweep and ping other devices, although ports (L4 and above) are blocked.  Other products have the option to disable peer-to-peer on a WiFi network.  Curious why Firewalla's AP7s do not.

  0

  Comment actions Permalink
• 

  Firewalla

  • April 08, 2025 16:53

  If you ping a device that's isolated, you get a response?

  0

  Comment actions Permalink
• 

  LP

  • April 08, 2025 17:04

  Yes, I do.

  0

  Comment actions Permalink
• 

  Firewalla

  • April 09, 2025 00:26
  • Edited

  Can you please let me know and confirm both the client doing the ping and the isolated client are both on the same network segment? Or they are on different segment? also confirm, you don't have any allow rules?

  Device isolation under AP7, should block pings for sure. 

  Also, may I know how you are generating the ping? was this just a ping, or a broadcast ping?

  0

  Comment actions Permalink
• 

  LP

  • April 09, 2025 01:42

  okay, so I found something very interesting.  When connected to my guest Wi-Fi with my device set to isolation mode, I do a network scan using the App Network Analyzer and I can see all of the other devices on the same guest WiFi. I can see all devices connected to the Guest Wi-Fi, but only one device comes back as pingable.  It looked up the MAC address of that device and it turns out to be my Firewalla AP7.  For some reason, the AP I connect to gets assigned an IP address in my Guest WiFi LAN that's pingable from devices on the Guest Wi-Fi.  When I look at the list of devices in Firewalla, the IP address doesn't show up nor does it show being linked to the AP7.  I was able to determine that it's the AP7 from the mac address found from the netstat -a command.  I can ping that IP address from multiple devices.  I did a full port scan (1-65535 and nothing answered, so I guess there's little risk.  But it is interesting that the AP7s assign themselves an IP address on LAN and is pingable, but not visible within the Firewalla app.  Even with isolation enabled, that IP address is pingable.  I have 3 AP7s and when I move my device to a different AP7, a completely different IP shows up and is pingable, so it appears each AP7 gets an IP address from the pool and my device can ping only the one that it's connected to.  

  0

  Comment actions Permalink
• 

  Support Team

  • April 09, 2025 04:54

  Thanks for the test.

  Network Analyzer uses arp (layer 2) to see all other devices in the network. The isolation works at IP layer (layer 3). That's why arp works, but ping is blocked.

  The risk is low. It's on our roadmap to figure out how to block at layer 2 as well.

  0

  Comment actions Permalink

Please sign in to leave a comment.