Specific IP accessing different subnet
-
I have 3 NICs and created WAN, LAN and OPT1 and called them RED (WAN), GREEN (LAN) and BLUE (OPT1).
GREEN 192.168.1.0/24 and DHCP enabled
BLUE 192.168.2.0/24 and DHCP enabledGREEN will be connected to desktops & server
BLUE will be connected to Unifi APsBasically I want a rule that a specific ip (192.168.2.10) on BLUE has access to GREEN and the other way also
that a specifik ip (192.168.1.15) on GREEN has access to BLUE.My problem was that I didn't get access to Internet from BLUE so I copied the ruels from GREEN -> BLUE and now
connection works to Internet from BLUE.The next problem is Catch 22 … if I specify a rule on BLUE telling that 192.168.2.10 should access GREEN and
place it on top - access to Internet will not be tested since first rule is OK ... and then I loose
Internet connection.
If I do the other way around the access to Internet will be OK and rule 192.168.2.10 access to GREEN will not
be executed ...This is a logical loop ... is there a way to get Internet connection on BLUE without copying GREEN ruels as I did ?
In that case this will solve my problem.
-
I saw on another post how this was solved so I created a rule for BLUE as in attached image.
Should I add IPv6 also as additional rule … for the future ?
-
Forgot to mention that the original problem still remains (Catch 22) … how is that solved ... obviously not by firewall rules
-
A packet is processed on the first rule (line) that "matches" , meaning first permit or deny that matches.
This means the rules sequence (from top to bottom) is important.You (normally) make the filters on the "Input Lan" (Where the packet comes into the firewall) , not the Output lan.
So you "Block Green , on the Green interface" , "Blue on the Blue interface etc …"
There is a "Hidden Deny Anything to anywhere" at the bottom if every interface ruleset , so make sure to permit also the traffic to the internet (the * destination matches ANY ip address , and is used for accessing the internet) ...
You would want to do this:
Green rules Permit (Green Host) 192.168.1.15 to "Blue Net" - Permits the specific host Deny "Green Net" to "Blue Net" - Deny's all Green hosts to reach Blue net (the one we allow is matched above) Permit "Green Net" to * - Allow green to reach * aka internet Blue rules Permit (Blue Host) 192.168.2.10 to "Green Net) - Permits the specific host Deny "Blue Net" to "Green Net" - Deny's all Blue hosts to reach Green net (the one we allow is matched above) Permit "Blue Net" to * - Allow blue to reach * aka internet
/Bingo
-
Thanks for explaining … now I understand how I should do :)