Multi LAN with floating rules

  • I'm configuring a firewall with the following interfaces:
    WAN ( for now, will be connected by PPPoE to a fiber uplink)
    Vlan51 (
    Vlan52 (
    Vlan53 (
    Vlan54 (

    Only 4 Vlans while testing but will be 50 - 200 when in production.

    I'm trying to configure that all vlans can access internet but no vlan can access another vlan. Only selected Vlans may do that. Configuring the apropriate rules for every interface will take a lot of time and I've got more of these machines to configure. So I've decided to use Floating rules. This is working with the following config:

    No rules whatsoever on the VLAN interfaces.
    2 Floating rules from top to bottom:
    Action: Reject
    Interfaces: All VLAN's selected
    Direction: Out
    Source: Not Alias: "AllowedToInterVlan"
    Destination: Network:

    Action: Pass
    Interfaces: All VLAN's selected
    Direction: In

    The Alias "AllowedToInterVlan" contains only for now.

    This works, Host can ping but when pings, the packages are rejected by the firewall. All hosts can access the internet.

    The problem is, because no uninitiated connections to hosts can leave the VLAN interfaces, the firewall cannot ping a host in that range. E.g., the firewall itself cannot ping OR but they can both ping the firewall.

    In all the solutions I can come up with, I either have to create an alias that contains the interface IP for all VLAN interfaces OR all VLAN subnets. Is there anyone that can come up with a solution that doesn't require some action to be performed for every vlan? (except for applying the Floating rules to them of course)

Log in to reply