Multi LAN with floating rules



  • I'm configuring a firewall with the following interfaces:
    WAN (172.21.1.61 for now, will be connected by PPPoE to a fiber uplink)
    Vlan51 (10.1.51.1)
    Vlan52 (10.1.52.1)
    Vlan53 (10.1.53.1)
    Vlan54 (10.1.54.1)

    Only 4 Vlans while testing but will be 50 - 200 when in production.

    I'm trying to configure that all vlans can access internet but no vlan can access another vlan. Only selected Vlans may do that. Configuring the apropriate rules for every interface will take a lot of time and I've got more of these machines to configure. So I've decided to use Floating rules. This is working with the following config:

    No rules whatsoever on the VLAN interfaces.
    2 Floating rules from top to bottom:
    Action: Reject
    Interfaces: All VLAN's selected
    Direction: Out
    Source: Not Alias: "AllowedToInterVlan"
    Destination: Network: 10.0.0.0/8

    Action: Pass
    Interfaces: All VLAN's selected
    Direction: In

    The Alias "AllowedToInterVlan" contains only 10.1.51.0/24 for now.

    This works, Host 10.1.51.101 can ping 10.1.52.101 but when 10.1.52.101 pings 10.1.51.101, the packages are rejected by the firewall. All hosts can access the internet.

    The problem is, because no uninitiated connections to 10.0.0.0/8 hosts can leave the VLAN interfaces, the firewall cannot ping a host in that range. E.g., the firewall itself cannot ping 10.1.52.101 OR 10.1.51.101 but they can both ping the firewall.

    In all the solutions I can come up with, I either have to create an alias that contains the interface IP for all VLAN interfaces OR all VLAN subnets. Is there anyone that can come up with a solution that doesn't require some action to be performed for every vlan? (except for applying the Floating rules to them of course)


Log in to reply