Best practice for firewalled routing between VLANs?
I'm setting up a box that will perform routing and firewalling between multiple VLANs and the Internet. VLANs are for different groups of users/machine (Staff, Students, Servers etc) and need firewalling between the individual VLANs as well as between VLANs and Internet. (i.e., Student PCs cannot talk to Staff PCs, both Staff and Student PCs can access [some, not necessarily the same] servers, etc).
Is it considered best practice to do this via firewall rulesets on the interfaces for the different VLANs (in which case rules might be needed on both VLANs to ensure bi-directional communication?) or is it considered simpler in that instance to put all(/most) of the rules in the floating ruleset?
With at least 7 or 8 VLANs, it seems neater and easier to understand to have everything in one place (the floating ruleset) rather than going back and forth between tabs. Is there any negative to doing that vs individual rulesets?
The drawback I see is that rules in the floating area are applied to all interfaces and you will need to make sure that you write your rules accordingly. Also note that the default action in the floating rules is to pass.
Using the Aliases (Firewall -> Aliases) is another helpful way to produce smaller and more readable firewall rule-sets.
This document helped me out a lot with the VLAN firewalling.