Specific IP accessing different subnet

zkab

I have 3 NICs and created WAN, LAN and OPT1 and called them RED (WAN), GREEN (LAN) and BLUE (OPT1).

GREEN 192.168.1.0/24 and DHCP enabled
BLUE 192.168.2.0/24 and DHCP enabled

GREEN will be connected to desktops & server
BLUE will be connected to Unifi APs

Basically I want a rule that a specific ip (192.168.2.10) on BLUE has access to GREEN and the other way also
that a specifik ip (192.168.1.15) on GREEN has access to BLUE.

My problem was that I didn't get access to Internet from BLUE so I copied the ruels from GREEN -> BLUE and now
connection works to Internet from BLUE.

The next problem is Catch 22 … if I specify a rule on BLUE telling that 192.168.2.10 should access GREEN and
place it on top - access to Internet will not be tested since first rule is OK ... and then I loose
Internet connection.
If I do the other way around the access to Internet will be OK and rule 192.168.2.10 access to GREEN will not
be executed ...

This is a logical loop ... is there a way to get Internet connection on BLUE without copying GREEN ruels as I did ?
In that case this will solve my problem.

red.png_thumb

green.png_thumb

blue.png_thumb

nat.png_thumb

zkab

I saw on another post how this was solved so I created a rule for BLUE as in attached image.
Should I add IPv6 also as additional rule … for the future ?

rule.png_thumb

zkab

Forgot to mention that the original problem still remains (Catch 22) … how is that solved ... obviously not by firewall rules

bingo600

A packet is processed on the first rule (line) that "matches" , meaning first permit or deny that matches.
This means the rules sequence (from top to bottom) is important.

You (normally) make the filters on the "Input Lan" (Where the packet comes into the firewall) , not the Output lan.

So you "Block Green , on the Green interface" , "Blue on the Blue interface etc …"

There is a "Hidden Deny Anything to anywhere" at the bottom if every interface ruleset , so make sure to permit also the traffic to the internet (the * destination matches ANY ip address , and is used for accessing the internet) ...

You would want to do this:


Green rules

Permit (Green Host) 192.168.1.15 to "Blue Net"     - Permits the specific host
Deny  "Green Net" to "Blue Net"                             - Deny's all Green hosts to reach Blue net  (the one we allow is matched above)
Permit "Green Net" to *                                         - Allow green to reach * aka internet

Blue rules

Permit (Blue Host)  192.168.2.10 to "Green Net)    - Permits the specific host
Deny   "Blue Net"    to "Green Net"                         - Deny's all Blue hosts to reach Green net (the one we allow is matched above)
Permit "Blue Net" to *                                            - Allow blue to reach * aka internet

/Bingo

zkab

Thanks for explaining … now I understand how I should do :)