Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN accessing eachother mistake

    Firewalling
    3
    4
    825
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheEnergy last edited by

      ID Proto Source Port Destination Port Gateway Queue Schedule Description
      delete selected rules add
      icon   IPv4 TCP/UDP VLAN40 net * * 53 (DNS) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 21 (FTP) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 80 (HTTP) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 443 (HTTPS) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 143 (IMAP) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 993 (IMAP/S) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 22 (SSH) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 110 (POP3) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 995 (POP3/S) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 25 (SMTP) * none    
      move selected rules before this rule edit
      delete add
      icon   IPv4 TCP/UDP VLAN40 net * * 465 (SMTP/S) * none    
      move selected rules before this rule edit
      delete add

      I have a few vlan who have the same firewall rules added, but for some reason every vlan can access eachother, i would like to block every vlan for accessing eachother.

      Im i doing something wrong or?

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise last edited by

        What you're showing is that VLAN 40 can access any of those ports on any network. A good start would be limiting destinations to things not in other VLANs. You could most likely achieve this by creating an alias with all your VLAN ranges that you want to be separated, and using that as a catch-all "NOT" destination. Anything headed to its own VLAN range should be handled before the firewall (in the switch). Unless I'm misunderstanding something, in which case please post something more detailed regarding what you're trying to achieve.

        1 Reply Last reply Reply Quote 0
        • T
          TheEnergy last edited by

          I think i understand what your saying, its more a how to i would be looking for now. But isnt that the hard way to do things?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis last edited by

            Actually, that way should be quite easy. Make the alias "LocalNets" for all the subnets of the VLANs. Then put 1 rule at the top of the rules for a VLAN that does:
            "block source any, destination LocalNets"
            Then do what you need adding rules after that to pass traffic.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post