Can I block for one device all traffic on local network? (except gateway/DNS)


Is it possible to block for one specific device all traffic on the local network (by IP range or other means) with other devices on the local network?

When working from home, I use the laptop from my company (via VPN). I would like that the company laptop cannot see any of the other devices at home - be it via LAN or Wifi. I.e., the company laptop should only see the necessary devices, which to my understanding are the device that runs pihole with DNS (and in my case also with unbound) and the gateway/router (in my case a Fritzbox).

As my Fritzbox has the pihole DNS server's IP address upstream and functions as DNS server downstream (local), maybe I could even block the connection to the pihole?

Maybe I cannot achieve this at all with pihole?

Thanks for sharing your thoughts and pointing me into the right direction.

I do it on a hardware level with a managed switch via port isolation. The Access Point on port 6 is only forwarded to port 1 (the router), port 4 (the pihole acting as DHCP and DNS server) and port 8 a security device (Fingbox). This AP runs the guest network so anyone connected to it can’t reach other servers or devices which are connected to other ports of the switch.


Wonderful - this seems to be the solution, and I am very grateful for your kind help! :smiley:

I've a similar menu on my managed switch and assume that the below menu is the right one I have to set up properly (currently, there is no restriction):

This is called "port-based VLAN", and there are some other options, too, but I think that I don't need any of those, right?

Hi there, VLAN is something else. You can sub-segment a physical network into virtual segments, i.e. you can have 192.168.1.x and 192.168.2.x sub-nets and have different devices on different sub-nets. You can arrange these devices may or may not communicate each other via VLAN settings on your managed switch. What I was saying was something else, port isolation is switching on or off which ports will be connected to which ports - like a telephony operator. For your purpose, you can use either port isolation or design virtual lans in your network, both will work your purpose.

1 Like

Typically, a corporate VPN will put the laptop into a secure tunnel back to the home office, and local network clients are invisible.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.