Block interfaces from access one another

whiplash

Yo all,

I'm trying to figure out how to prevent my management network from accessing the IT network.

Call management LAN2 and IT LAN1.

Ultimately I would like to block all traffic to LAN 1 and only allow traffic to specific address and open specific ports. How can I achieve this?

Thanks
Whipper

Eugene

Briefly:

1. a packet is analyzed when it is received on the interface, so you have to create proper rules for incoming traffic.
2. everything is disabled unless you explicitly enable it.
   So, feel free to create proper rules according your needs and you are done. -)

louis-m

Hi Eugene. I'm inclined to agree with you on that. i've done 3 installs now and the first 2 did indeed need rules to get things going. the 3rd however decided to let all outgoing through.
so when i added my vlans, LAN1 could talk to LAN2. these were all various nanobsd installs.
however, in answer to the original question, just put a block rule in the lan1 interface with source as lan1 and destination lan2.

GruensFroeschli

so when i added my vlans, LAN1 could talk to LAN2. these were all various nanobsd installs.

Did you make sure that you didnt mix tagged and untagged traffic on the same NIC?

btw: sorry i mistook the edit-button for the quote-button >_<

whiplash

@louis-m:

Hi Eugene. I'm inclined to agree with you on that. i've done 3 installs now and the first 2 did indeed need rules to get things going. the 3rd however decided to let all outgoing through.
so when i added my vlans, LAN1 could talk to LAN2. these were all various nanobsd installs.
however, in answer to the original question, just put a block rule in the lan1 interface with source as lan1 and destination lan2.

Thanks for the input, I've tried that but been told that these devices on block outgoing traffic and not incoming. Thats why I am here trying to find out if this is the case or is it possible and how?!

whiplash

nothing conflicting

Eugene

Screenshots of your rules?

louis-m

Quote
so when i added my vlans, LAN1 could talk to LAN2. these were all various nanobsd installs.
Did you make sure that you didnt mix tagged and untagged traffic on the same NIC?

probably, 1 of the physical nics is untagged and the 2nd nic has 4 x tagged vlans on it. i haven't tried crossing from 1 vlan to another vlan. i would assume that this wouldn't work. i'll dig a little deeper tonight i think.