Manage inter-vlan connections

OKNET · March 9, 2017, 10:53am

Once switch1-cpu is involved in multiple Vlans for routing purpose, each Vlan can route to WAN by its own gateway

Doing so, also inter-vlan is automatically enabled but this is unwanted.

I’ve got to insert a filter rule on top of my forward ones :

chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=accept connection-state=established,related
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24

(first one is the only position that deny inter-vlan traffic)

However, I need some host in a single Vlan to access all hosts in the other Vlans

I’ve tried many rules in many order but host to inter-vlan packets are always dropped: what’s the rights syntax ? where I’m wrong???

Thank you

pukkita · March 9, 2017, 11:20am

Try

chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=accept connection-state=established,related
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24

OKNET · March 9, 2017, 2:53pm

Already tried. It doesn’t work.

In this allow rule, packets counter increases while pinging a machine on another vlan but it increases as well on the next rule (the dropping one).
Any idea ?

sid5632 · March 9, 2017, 8:10pm

Obviously, communication is a two way business. You are getting packets there but not back. Try adding a corresponding dst-address rule:

chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan dst-address=allo.wed.host.ip

OKNET · March 10, 2017, 7:02am

You’re right, I must allow packets in both directions
It works , thanks

pukkita · March 10, 2017, 10:52am

Sorry, I missed rule order:

chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip 
chain=forward action=accept connection-state=established,related
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24

even better:

chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip connection-state=new
chain=forward action=accept connection-state=established,related
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24

However, I need some host in a single Vlan to access all hosts in the other Vlans

@sid5632:
I understood that single host should be the one able to connect to the others, that is, initiate the connections and not viceversa; with your suggested ruleset other vlan hosts can initiate connections to allo.wed.host.ip with no restrictions.

sid5632 · March 10, 2017, 11:40am

Agreed.

OKNET · March 10, 2017, 1:39pm

Confirm, new order , it works !