I'm running a small campus with about 40 wifi/ether ports devices(Distribution network) for guests that run behind a MT hotspot/firewall.
I run a pretty good firewall set on the main router/internet/hotspot box.
I'm putting some thought on the internal LAN side of the network and asking the question, "If an internal client has a nasty virus/malware or wants to 'scan' around on the LAN side, what could I implement on my LAN devices to 'filter' potential nefarious activities to stop infections etc to other users of the LAN"
That said the internet is distributed on a VLAN across the campus and I use a separate management VLAN to manage all edge/core devices. Vlans bond to a BRIDGE on each device.
So based on that I am thinking about BRIDGE filtering as all my 'internet /client side VLAN/Bridges' which goes out to either a WiFi interface or physical ether(bridge-port bond).
What sort of rules do/are people run for this kind of setup ?
Do(can?) you block devices talking to each other?
Is it worth blocking/filtering common ports (forwarding on the bridge) ?