VLAN accessing eachother mistake



  • ID Proto Source Port Destination Port Gateway Queue Schedule Description
    delete selected rules add
    icon   IPv4 TCP/UDP VLAN40 net * * 53 (DNS) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 21 (FTP) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 80 (HTTP) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 443 (HTTPS) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 143 (IMAP) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 993 (IMAP/S) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 22 (SSH) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 110 (POP3) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 995 (POP3/S) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 25 (SMTP) * none    
    move selected rules before this rule edit
    delete add
    icon   IPv4 TCP/UDP VLAN40 net * * 465 (SMTP/S) * none    
    move selected rules before this rule edit
    delete add

    I have a few vlan who have the same firewall rules added, but for some reason every vlan can access eachother, i would like to block every vlan for accessing eachother.

    Im i doing something wrong or?



  • What you're showing is that VLAN 40 can access any of those ports on any network. A good start would be limiting destinations to things not in other VLANs. You could most likely achieve this by creating an alias with all your VLAN ranges that you want to be separated, and using that as a catch-all "NOT" destination. Anything headed to its own VLAN range should be handled before the firewall (in the switch). Unless I'm misunderstanding something, in which case please post something more detailed regarding what you're trying to achieve.



  • I think i understand what your saying, its more a how to i would be looking for now. But isnt that the hard way to do things?



  • Actually, that way should be quite easy. Make the alias "LocalNets" for all the subnets of the VLANs. Then put 1 rule at the top of the rules for a VLAN that does:
    "block source any, destination LocalNets"
    Then do what you need adding rules after that to pass traffic.