Are firewall rules for internal VLAN routing too?
-
I was under the impression that firewall rules are also used for internal routing of VLANs also, not just for Internet/WAN traffic. Is this correct?
I ask because I ran into something that confused me last night. I have a few VLANs setup– storage, WIFI, management, and server. All VLANs have rules set to allow any with the source set as itself. I have a NAS on the storage VLAN which I'm able browse to shares on it from the other VLANs. I can also connect to its web management interface from those VLANs. It's a Synology NAS and they have a software package site that you can connect to for installing addons. I can browse that from the NAS just fine too. Never had any issues.
Last night I was trying to setup NFS and was having issues. While I was triple checking everything I realized I didn't have any firewall rules setup for the storage VLAN that the NAS is on. As I mentioned, I thought the firewall rules were for internal routing, not just the WAN. If that is right, then how was I able to use the NAS from other VLANs and connect to the Internet from it without any issues?
-
yes, FW rules separates each network.
We are running it and allow only access to servers/printer and some other special devices through different networks.
all other type of internal traffic is blocked and only outgoing traffic is allowedTo allow special networks / servers, admins ^^ and the transfer network to all networks easy access we defined a "private" alias
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 and set in all LANs a rule * => !private => allow, with gw group…Perhaps you have allowed here for WAN too much (also LAN) ?
For special server/printer/devices its also good to set aliases for easy expanding the requirements.
-
Then I'm really confused why I've been able to access the storage VLAN without any rules on that VLAN. I shouldn't have been able access it at all.
Having no rules means deny all correct?
-
Having no rules on your storage vlan should have prevented the NAS connecting to a remote package site but not clients on other interfaces connecting to it. Firewall rules apply to traffic entering the interface.
Do you have any floating rules? You may have to clear the state table if you have just changed the rules.Steve
-
Floating rules are still at the default of whatever they are when you first install. Haven't touched that tab. Don't know if it's empty or if there are some default rules in there.
-
It might be the switch where the VLANs are set up. If some of the switch ports are still accepting untagged frames, then all devices will talk to all devices regardless of subnet via the switch. I had this issue with a "free" switch I was using and decided to physically segment the network and gave up on VLANs.
-
It might be the switch where the VLANs are set up. If some of the switch ports are still accepting untagged frames, then all devices will talk to all devices regardless of subnet via the switch. I had this issue with a "free" switch I was using and decided to physically segment the network and gave up on VLANs.
Hmmm…would tagged ports act the same way? I have an HP Proliant 1810G managed switch. HP handles VLAN tagging a little different than Cisco. Untagged ports put the client on that VLAN and don't require any special settings on the client. Tagged ports are a member of that VLAN but also require the client to be setup to use that VLAN tag.
The NAS is on VLAN 11. The port it uses is set to Tagged for 11 and in order to get it to work I had to tell the NAS that it's on VLAN 11. If I change the port to Untagged for VLAN 11 then I'd have to remove the VLAN 11 setting on the NAS in order for it to work properly.
-
Hi,
Hmmm…would tagged ports act the same way? I have an HP Proliant 1810G managed switch. HP handles VLAN tagging a little different than Cisco. Untagged ports put the client on that VLAN and don't require any special settings on the client. Tagged ports are a member of that VLAN but also require the client to be setup to use that VLAN tag.
The NAS is on VLAN 11. The port it uses is set to Tagged for 11 and in order to get it to work I had to tell the NAS that it's on VLAN 11. If I change the port to Untagged for VLAN 11 then I'd have to remove the VLAN 11 setting on the NAS in order for it to work properly.
No, We had this switch as admin table switch for testing/separating VLANs ;) … it works as expected - let only VLANs to untagged/tagged defined ports through.
Tim means switches like an D-Link DGS-1008D which we use as standard table switch for other places...
So every user gets his untagged VLAN but our telephones get their VLAN tagged, too. -
I’m out of my league here, but maybe the switch acts as a “Router on a Stick”, meaning the switch itself switches the Layer 2 frames between PC and NAS and it does not enter the router. That means whatever firewall rules you have in the router won’t block it.
-
Tim means switches like an D-Link DGS-1008D which we use as standard table switch for other places…
So every user gets his untagged VLAN but our telephones get their VLAN tagged, too.Actually, the switch I was having problems with is a Dell PowerConnect 5224. It's a layer 2/3 switch and for some reason I could not delete the untagged VLAN and on reboots all my settings are lost. Rather than spend the time trying to figure it out (again, "free" switch), I decided to add another switch and physically segment.
Lazy, I know…. :)
