Hello everyone!
For some time now I’ve been using a CRS326-24G-2S+ behind an RB5009 to structure my home network a bit better. The CRS326 also takes care of the routing between the VLANs, which works perfectly due to L3 hardware offloading.
For the sake of simplicity, let’s assume that there are only two VLANs. VLAN 10 and VLAN 20.
VLAN 20 should not be able to access VLAN 10.
VLAN 10 should be able to access VLAN 20. So responses from VLAN 20 to VLAN 10 must be allowed.
A drop any rule for traffic from VLAN 20 to VLAN 10 also blocks these responses.
How can I achieve this via the switch rules on the CRS326?
With the firewall this is of course quite simple, but this should not be used, because the CPU would then be involved again.
With e.g. a Cisco switch this would simply be an extended acl rule like this
permit tcp (VLAN20 IPs) 0.0.0.255 (VLAN10 IPs) 0.0.0.255 established
Is it possible to use those TCP-flags like “established” on the CRS326 switch chip without having to pass it to the firewall and therefore to the CPU?
Thanks for your help!
Many greetings,
Martin