Why are my VLANs not isolated?
-
I have a few VLAN setup on my network.
192.168.1.0 for LAN
192.168.20.0 for Guest
192.168.30.0 for IOT
192.168.40.0 for IPCameras (this should have no access to the Internet)Aside for a few exceptions (which I will define using alias) I want traffic to be segregated by the VLAN they are in.
Here's how my rules are setup:
LAN
Guest
IOT
IPCameras
However I don't think I did this correctly as clients on the LAN are able to access the IP cameras despite "IPcameraViewers" being empty.
Ie. I can access 192.168.40.11 's webui from 192.168.1.22 -
@Roy360 You're not blocking LAN to CAMERAS anywhere I see. Just the CAMERA address is blocked.
Why do you have an OPENVPN CLIENT rule on your LAN?
You also have some redundant rules that will never trigger and aren't needed. -
@Roy360 said in Why are my VLANs not isolated?:
IP cameras despite "IPcameraViewers" being empty.
Rules are evaluated top down, first rule to trigger wins and no other rules are evaluated. If you only want Ips that are in your alias to be allowed to camera network, then below where you allow that, and before your any any rule at the bottom for internet you would need to block it, or it will fall thru all the rules until it gets to your any rule and be able to get to the camera vlan, because that rule allows any.
Notice as @Jarhead mentioned, your reject there is to camera address, not the whole subnet.
-
@Jarhead said in Why are my VLANs not isolated?:
> @Roy360 You're not blocking LAN to CAMERAS anywhere I see. Just the CAMERA address is blocked.Why do you have an OPENVPN CLIENT rule on your LAN?
You also have some redundant rules that will never trigger and aren't needed.That's embarrassing. I didn't see that.
I think the fixed up the LAN (and moved the rules in the correct order)
I can no longer access Camera subnet from LAN anymore unless they are defined in the alias.
The OpenVPN rule is there so certain LAN clients go through it. Is that not how you do it? I just followed a dated guide on Reddit.
https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/Can you point out one of the redundant rules? (unless you meant the duplicated ones, Not sure how that happened, but I removed those)
-
@Roy360 those look better from a quick glance - you could prob just create alias for rfc1918 address space so that those 3 rules would be come 1 rule..
Here is example of locked down network, that prevents this vlan from going to any of my other vlans. Nice about using an alias with all rfc1918 space in, if I add another vlan its auto covered..
-
@Roy360 Yeah, I meant the duplicates, which is what that OpenVPN client rule was, but that's gone now.
Most people do what John suggested as to the RFC 1918 Alias, it really makes life easier in the long run.