Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi LAN with floating rules

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Joolee
      last edited by

      I'm configuring a firewall with the following interfaces:
      WAN (172.21.1.61 for now, will be connected by PPPoE to a fiber uplink)
      Vlan51 (10.1.51.1)
      Vlan52 (10.1.52.1)
      Vlan53 (10.1.53.1)
      Vlan54 (10.1.54.1)

      Only 4 Vlans while testing but will be 50 - 200 when in production.

      I'm trying to configure that all vlans can access internet but no vlan can access another vlan. Only selected Vlans may do that. Configuring the apropriate rules for every interface will take a lot of time and I've got more of these machines to configure. So I've decided to use Floating rules. This is working with the following config:

      No rules whatsoever on the VLAN interfaces.
      2 Floating rules from top to bottom:
      Action: Reject
      Interfaces: All VLAN's selected
      Direction: Out
      Source: Not Alias: "AllowedToInterVlan"
      Destination: Network: 10.0.0.0/8

      Action: Pass
      Interfaces: All VLAN's selected
      Direction: In

      The Alias "AllowedToInterVlan" contains only 10.1.51.0/24 for now.

      This works, Host 10.1.51.101 can ping 10.1.52.101 but when 10.1.52.101 pings 10.1.51.101, the packages are rejected by the firewall. All hosts can access the internet.

      The problem is, because no uninitiated connections to 10.0.0.0/8 hosts can leave the VLAN interfaces, the firewall cannot ping a host in that range. E.g., the firewall itself cannot ping 10.1.52.101 OR 10.1.51.101 but they can both ping the firewall.

      In all the solutions I can come up with, I either have to create an alias that contains the interface IP for all VLAN interfaces OR all VLAN subnets. Is there anyone that can come up with a solution that doesn't require some action to be performed for every vlan? (except for applying the Floating rules to them of course)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.