Dear all,
I have the following setup : CCR-1016 v6.33 and a HP 2530 switch. I m trying to set up a proper firewall on the router for multiple vlan routing and nat as well.
On interface vlan20 there s a dhcp server, with the ip address 192.168.20.1
The switch has a fix ip address in vlan0 (192.168.0.11).
Now i have to users in vlan20(ip1: 192.168.20.60, ip2: 192.168.20.59), connected to the same HP switch, and i enabled intervlan communication:
- chain=forward action=accept in-interface=vlan20 out-interface=vlan20
The problem is that the 2 device can actually communicate, but the bytes/packets counter is not being hit.
After noticing this , i tried to deny communication between the users in the forward chain for testing purposes, without luck.
-chain forward action=drop src-address=192.168.20.60 dst-address=192.168.20.59 log=yes
(placed this rule at the beginning of forward chain)
Looks like forward rules are not implied to them, they can communicate freely, and i can’t log any communication beetween them. I repeat the users are connected to the same switch.
I have two questions:
- They can communicate because of the switch maintains a mac-address table ?
- is it possible to apply forward deny rules to users in the same vlan connected to the same switch? (ex. a client isolation rule, which is my goal)
Any guidance would be much appreciated
Steve.