Block destination host access from source host in LAN/one subnet

Question

Hi, 
 WARNING: I am absolutely new to firewall :) 
 I use IP Host to cluster my LAN devices belonging to my single subnet 10.x.y.z. These IP Host (IP lists and ranges) I want to use to block cross access. F.e. DHCP (guest devices 10.x.y.100 - 10.x.y.110) should not access any of my SERVER. 
 
 I created a firewall rule with the following content: 
 Action REJECT or DROP 
 Source Zone LAN Source Network DHCP (Host IP Range) 
 Destination Zone LAN Destination Network SERVER (Host IP List) Services ANY 
 but ... I can still access from a DHCP host any SERVER host. 
 Is it possible to achieve, what I am aiming for with only IP Host or do I have to go the ZONE / VLAN route? 
 Cheers

lferrara · Accepted Answer

Norbert, 
 if clients and servers are on the same subnet, traffic will never hit the Firewall so you cannot block/allow traffic. 
 In oder to filter traffic by layer 3 and 4, you have to move your servers or clients to another subnet. 
 Regards

sixteen again · Answer

If your servers and the DHCP addresses are on the same subnet, traffic in between them isn't routed by the XG....so you can't block it on the XG

lferrara · Answer

Great! 
 Potentially clients or servers can change their ip and belong to the other network. 
 You can create a vlan 2 by assigning each port to proper vlan with only one XG interface. In your case you beed 2 vlans, 1 for clients and one for servers. Every managed switch supports layer 2 vlan. The other option is vlan layer 3 where with a single XG nic you can manage both networks. 
 Regards