Hi,
our main MT configuration is quite old, and i’m sure, it should be optimized.
So i started playing arround with a small test setup: 1 MT + 1 Hyper-V Server (with different VLANs).
My Setup seems to be working so far.
This is my VLAN Isolation Config, is this a straight/good config, or are any mistakes or there better/shorter ways?
The goal is, to have the VLANs completly isoliated, just some servers/services should be open to other VLANs
Many thanks for every input!
Rick
add action=log chain=forward comment="============= VLAN 164 ========================" disabled=yes
add action=accept chain=forward comment="VLAN164 - allow established+releated connections" connection-state=established,related out-interface=vlan164-172.16.4.0/24
add action=drop chain=forward comment="VLAN164 - drop invalid connections (important for established rule)" connection-state=invalid out-interface=vlan164-172.16.4.0/24
add action=accept chain=forward comment="VLAN164 - allow established+releated connections" connection-state=established,related in-interface=vlan164-172.16.4.0/24
add action=drop chain=forward comment="VLAN164 - drop invalid connections (important for established rule)" connection-state=invalid in-interface=vlan164-172.16.4.0/24
add action=accept chain=input comment="VLAN164 - allow established+releated connections" connection-state=established,related in-interface=vlan164-172.16.4.0/24
add action=drop chain=input comment="VLAN164 - drop invalid connections (important for established rule)" connection-state=invalid in-interface=vlan164-172.16.4.0/24
add action=accept chain=output comment="VLAN164 - allow established+releated connections" connection-state=established,related out-interface=vlan164-172.16.4.0/24
add action=drop chain=output comment="VLAN164 - drop invalid connections (important for established rule)" connection-state=invalid out-interface=vlan164-172.16.4.0/24
add action=log chain=forward comment="============= VLAN 164 GATEWAY ========================" disabled=yes
add action=accept chain=input comment="VLAN164 - access ntp" dst-address=172.16.4.254 dst-port=123 in-interface=vlan164-172.16.4.0/24 protocol=udp
add action=accept chain=input comment="VLAN163 - access dns" dst-address=172.16.4.254 dst-port=53 in-interface=vlan164-172.16.4.0/24 protocol=udp src-port=""
add action=accept chain=input comment="VLAN162 - ping" dst-address=172.16.4.254 in-interface=vlan164-172.16.4.0/24 protocol=icmp
add action=log chain=forward comment="============= allow rules ========================" disabled=yes
add action=accept chain=forward comment="VLAN164 - Test Webkonsole" dst-address=172.16.4.14 dst-port=443 out-interface=vlan164-172.16.4.0/24 protocol=tcp src-address-list=management_hosts
add action=accept chain=forward comment="VLAN163 - server access to smtp service" dst-address=xxx.xxx.xxx.xxx dst-port=587 in-interface=vlan164-172.16.4.0/24 protocol=tcp
add action=log chain=forward comment="============= VLAN 164 ========================" disabled=yes
add action=accept chain=forward comment="VLAN164 - allow internet access only when rule is enabled" disabled=yes in-interface=vlan164-172.16.4.0/24 out-interface=ether1
add action=reject chain=forward comment="VLAN164 - block/reject non established connections (important)" out-interface=vlan164-172.16.4.0/24 reject-with=icmp-network-unreachable
add action=reject chain=forward comment="VLAN164 - block/reject non established connections (important)" in-interface=vlan164-172.16.4.0/24 reject-with=icmp-network-unreachable
add action=drop chain=forward comment="VLAN164 - inbound vlan" connection-nat-state="" connection-state=established,related out-interface=vlan164-172.16.4.0/24
add action=drop chain=forward comment="VLAN164 - outbound vlan" in-interface=vlan164-172.16.4.0/24
add action=drop chain=input comment="VLAN164 - input deny" in-interface=vlan164-172.16.4.0/24
add action=drop chain=output comment="VLAN164 - output deny" out-interface=vlan164-172.16.4.0/24