Is it possible to apply firewall rules on LAN to LAN packets?
Imagine the following architecture:
To get a valid IP, the clients must authenticate to PfSense LAN network using 802.1x against the pfSense's radius server.
After that all packets sent between Client1 and Client2 will be managed and filtered by PfSense firewall.
Is this architecture possible? Are there any caveats?
A "layer 2 switch" is really a switch, i.e., its only task is to forward network frames from one net branch to the other. But with today's plummeting hardware costs, many devices called "switch" have lots of additional features (like handling VLANs, faking separate networks using the same box -- essentially allowing you to separate the switch into several separate ones; filtering traffic using a variety of criteria), up to and working as routers (connecting separate networks, routing traffic as required). Often you get a "switch" that is really a router, and those generally have the smarts (hardware-wise) to do traffic filtering (i.e., act as a firewall).
For example, the "access point" or "cable modem" box you have at home is really a router and WiFi access point (connects a cabled network to WiFi) plus a firewall (doing at least NAT). If you take a peek, handling WiFi is very complex business (some channels can not be used, depending on the country; need to connect to the network and handle encrypted traffic; need to hand over from one access point to another as you move through a large building; ...), and all that is done in a WiFi card that today costs a few bucks.
In case Layer 2 switch the IP is not so important and there are traffic based on MAC address. Until the destination is on the same network segment (for Layer 3 view once it is on the same subnet - e.g. 192.168.0.0/24 - 192.168.0.1 to 192.168.0.254 ) there is utilized ARP protocol (if the MAC of the destination is not known) and then there is communication directly utilizing MAC address and "Layer 2 addressing".
In this scenario "local" traffic (between client 1 and client 2) is not reaching the pfsense so there is no way how to realize this kind of filtering...
The traffic reaching the pfsense is (in case of no special route in place) "other" traffic so everything else out of subnet - usually covered by "default" route record.
Anyway 802.1x support on the switch is not "basic" feature so in case there is this kind of support there is the most probably support also for VLANs - 802.1q. In that case you can assign client after authentication (based on the reply from the radius) to separate VLAN so logically there will be just one client and pfsense interface on the network segment or in other words you will logically split the network and no 2 clients will be on the same L2 switch. This way all the traffic will have to be routed via pfsense as default route. In this scenario you can filter the traffic also between the clients.
The cons would be higher load on firewall and in case of heavy traffic between the client there will be the most probably lower throughput.
I think what OP is asking is "is there a way to filter traffic within the same network" (so without the need to use a gateway which very conveniently in this case would be a firewall), I seriously doubt he is asking what is a router, a switch, a hub or a firewall. In other words, is there a way to force all nodes traffic to run through the firewall so it can filter the whole network. To my knowledge, the only network manager able to do this atm is vmware NSX-T (NSX-V is discontinued but we still refer to them) which implies you are in a virtualized environment...which is not actually that a stupid thing with VDI capabilities nowadays and yes, security is one of the VERY strong aspect of VDI.
But without this kind of technology, you are doomed, TCP/IP is made of this, if you are on the same subnet, you can reach anything without even asking any permission. Deal with it.
