Blocking Traffic Between Interfaces

Overview

Some users prefer to block internal subnets/interfaces from communicating with one another. There are two ways to block traffic between interfaces.

Using Filter Rules

The best approach is to use Filter Rules, in Config > Network > Filter Rules. If you just want to block all traffic between interfaces — keeping all interfaces separated from one another — a single rule with the conditions 'Source Interface is Any Non-WAN' and 'Destination Interface is Any Non-WAN' should work:

However, if you want more granular control over intra-interface blocking, you can create individual rules for each pair or set of interfaces. For example, this rule will block traffic from the WireGuard VPN interface to the Internal interface:

Note that this rule does not work the other way around, so you'll need to create an additional rule for the reverse direction:

Using interface NAT

You can also enable NAT on any LAN interfaces you wish to segregate. This will cause all traffic from these interfaces to be NAT'd to auto, which is the primary address of whichever interface the traffic exits. (Traffic between this interface and any bridged peers will not be NAT'd.) This option is found in Config > Network Interfaces: Edit the interface on which you wish to enable NAT and check the "NAT traffic coming from this interface (and bridged peers)" box.

This method is all-or-nothing and does not allow any exceptions or ability to control blocking on a finer level, however, and it can sometimes lead to other routing issues. We don't recommend it unless the network is very simple and the NAT'd interfaces will never need to communicate with one another.