Scan your lab with the Network Scanner
The Network Scanner is nmap with a face: drop it into a segment, point it at a subnet, and get hosts, open ports and service versions back in a panel. Perfect for verifying a firewall lab actually blocks what you think it blocks.
Wire the scanner into the segment you want to probe - it is a node like any other, so it only sees what the topology lets it see.

Double-click it and set the target - a host or a whole subnet (10.0.0.0/24) - plus the scan profile. Results list discovered hosts with their open ports and detected services.

Scanning only reaches what the topology reaches - the lab's isolation still applies. For the firewall use-case: scan from outside the firewall, then from inside, and diff the two result sets.