Specific IP accessing different subnet



  • I have 3 NICs and created WAN, LAN and OPT1 and called them RED (WAN), GREEN (LAN) and BLUE (OPT1).

    GREEN 192.168.1.0/24 and DHCP enabled
    BLUE 192.168.2.0/24 and DHCP enabled

    GREEN will be connected to desktops & server
    BLUE will be connected to Unifi APs

    Basically I want a rule that a specific ip (192.168.2.10) on BLUE has access to GREEN and the other way also
    that a specifik ip (192.168.1.15) on GREEN has access to BLUE.

    My problem was that I didn't get access to Internet from BLUE so I copied the ruels from GREEN -> BLUE and now
    connection works to Internet from BLUE.

    The next problem is Catch 22 … if I specify a rule on BLUE telling that 192.168.2.10 should access GREEN and
    place it on top - access to Internet will not be tested since first rule is OK ... and then I loose
    Internet connection.
    If I do the other way around the access to Internet will be OK and rule 192.168.2.10 access to GREEN will not
    be executed ...

    This is a logical loop ... is there a way to get Internet connection on BLUE without copying GREEN ruels as I did ?
    In that case this will solve my problem.









  • I saw on another post how this was solved so I created a rule for BLUE as in attached image.
    Should I add IPv6 also as additional rule … for the future ?




  • Forgot to mention that the original problem still remains (Catch 22) … how is that solved ... obviously not by firewall rules



  • A packet is processed on the first rule (line) that "matches"  , meaning first permit or deny that matches.
    This means the rules sequence (from top to bottom) is important.

    You (normally) make the filters on the "Input Lan" (Where the packet comes into the firewall) ,  not the Output lan.

    So you "Block Green , on the Green interface" , "Blue on the Blue interface etc …"

    There is a "Hidden Deny Anything to anywhere" at the bottom if every interface ruleset , so make sure to permit also the traffic to the internet (the * destination matches ANY ip address , and is used for accessing the internet) ...

    You would want to do this:

    
    Green rules
    
    Permit (Green Host) 192.168.1.15 to "Blue Net"     - Permits the specific host
    Deny  "Green Net" to "Blue Net"                             - Deny's all Green hosts to reach Blue net  (the one we allow is matched above)
    Permit "Green Net" to *                                         - Allow green to reach * aka internet
    
    Blue rules
    
    Permit (Blue Host)  192.168.2.10 to "Green Net)    - Permits the specific host
    Deny   "Blue Net"    to "Green Net"                         - Deny's all Blue hosts to reach Green net (the one we allow is matched above)
    Permit "Blue Net" to *                                            - Allow blue to reach * aka internet
    
    

    /Bingo



  • Thanks for explaining … now I understand how I should do  :)