You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to operate three different VLANs in the network (LAN 10, IOT 15, GUEST 20). As usual, I have created these on the network bridge. I then set up separate DHCP with different IP ranges for each network interface.
I then created two new firewall zones accordingly. I would like to implement these very restrictively.
Below is part of the firewall rules:
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option fullcone '0'
option flow_offloading '0'
option flow_offloading_hw '0'
option synflood_protect '1'
option drop_invalid '1'
config zone 'zone_lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
option auto_helper '1'
config zone
option name 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'IOT'
config zone
option name 'guest'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'vpn'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'vpn'
Both IOT and GUEST should only be allowed to access the Internet (they should be separated because LAN requires IOT access, but GUEST does not). Since I drop all input in the standard, corresponding rules for DHCP and DNS are created:
config rule
option name 'IoT-DHCP'
list proto 'udp'
option src 'iot'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'IoT-DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
When I connect to the VLAN, I receive an IP address but no Internet access. Only when I set the input to Accept for these zones can I access the internet, but unfortunately also all routers, which should not be the case.
So, to my questions:
Does WAN or VPN have to be enabled as a destination (I tried both without success during testing)?
What other firewall rules are needed for pure Internet access to work?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I would like to operate three different VLANs in the network (LAN 10, IOT 15, GUEST 20). As usual, I have created these on the network bridge. I then set up separate DHCP with different IP ranges for each network interface.
I then created two new firewall zones accordingly. I would like to implement these very restrictively.
Below is part of the firewall rules:
Both IOT and GUEST should only be allowed to access the Internet (they should be separated because LAN requires IOT access, but GUEST does not). Since I drop all input in the standard, corresponding rules for DHCP and DNS are created:
When I connect to the VLAN, I receive an IP address but no Internet access. Only when I set the input to Accept for these zones can I access the internet, but unfortunately also all routers, which should not be the case.
So, to my questions:
Beta Was this translation helpful? Give feedback.
All reactions