Saturday, September 28, 2019

EdgeRouter X VLAN and Firewall Rule Sets

One of the reasons you want to use VLAN is to segregate your network and to control traffics from one network to another.  This post is just about this.

One of the issue I have is the direction in a ruleset  As I was trying to limit the incoming traffics to an interface, you would think the direction should be IN.  Oddly, the direction is actually OUT.


In this example, I have a VLAN 100 and would like to accept traffics from VLAN 1 and 2 into this network, but to restrict the access from it to VLAN 1 and 2.

To do this, I set the default action of this rule to DROP, and then added three rulesets to grant the permitted traffics.

The first rule is a general rule which allows any traffics from this VLAN to connect to the internet.

For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols.  Then, on the advanced tab, I selected the states ESTABLISHED AND RELATED.

The second rule is a specific rule allowing VLAN 1 traffics to enter into this network.

For this, I created a ruleset, and set its action to ACCEPT, and allowed all protocols.  Then, on the advanced tab,  I selected the states ESTABLISHED AND RELATED (you may also need NEW).  One extra is required for this ruleset, and it is specifying its source!  on the source tab, I picked VLAN 1 from Network Interface dropdown box (or specifying the VLAN 1 IP, e.g. 192.168.1.0/24).  I applied similar steps for VLAN 2.

After all of these, VLAN 100 should be able to accept traffics from VLAN 1, and 2, and be able to talk to the WAN.  However it should not be able to access network resources in VLAN 1 and 2.

Above is based on this tutorial video I found on YouTube.


No comments: