I need to configure a router so that it hosts multiple internal networks and where firewall rules exist which provide one way isolation for those networks.
For example, I have Eth0 configured as the WAN port, Eth1 configured as LAN1 (192.168.2.0\24) and Eth2 configured as LAN2 (10.10.10.0\8)
I need for LAN1 and LAN2 to both be able to access internet via Eth0. I need for LAN1 to be able to access LAN2, but LAN2 to be unable to access LAN1.
The current setup is for Bridge0 (Eth1-23) to host LAN2 and for LAN1 to be hosted via a cheap router plugged into LAN2, which effectively accomplishes the above but limits inter-LAN communication to 100Mbps, which isn’t satisfactory.
Firewall configuration is not my strong suit, can someone help me understand how I would need to configure the firewall to make this work?
I believe there is an in-interface option for the firewall commands that you can use to apply rules to incoming interfaces. That is probably the easiest way to restrict packets from one network in your case. Of course you can also limit incoming packets based on source IPs but since your networks are physically separated, I’d just add rules to prevent packets from ether1 to reach ether2 and vv.
Wont that prevent all traffic from communicating between networks? I need for users on the 192.168.2.x network to be able to access shares on 10.10.10.x, but users on the 10.10.10.x network to be unable to access 192.168.2.x. I believe this can be done through a related rule before the in-interface, but I’m not sure quite how to configure it.
My bad - didn’t see that you wanted one of your subsets to have access to the other but not the other way around. That will mean that you have to add a few more rules to allow the one subnet to send packets to the other. You then need rules unrelated to interfaces and subnets that allow related and established connections.
I’ve only got access to my iPad right now, so it’s a bit hard to come up with the exact rules, but if you read the manual sections on firewalling, you can probably figure it out.
Again, as a route isn’t that a hard and fast rule that would prevent any packets from returning to 192.168.2.0/24? So I could ping an address in 10.10.10.0/24, but I wouldn’t be able to receive the reply, so it would still come back as unreachable.
I am deploying this onsite tomorrow, so we’ll see how things go. I’ve got it mostly configured right now but for some reason I am able to ping 192.168.2.1 (the router’s IP on LAN1) from 10.10.10.199 (a VPN Connection on LAN2). Since it’s just up and running and remote, I don’t have any clients on 192.168.2.0/24 to test and see if the traffic is blocked.
Gotcha, that’s the sort of thing that I thought was happening.
I have thoroughly tested connections from LAN1 to LAN2, which are denied, and LAN2 to LAN1, which are permitted. With those rules I listed above I got to the point where I could turn them off and have 2 way access, then turn them on and be able to access only one way. That is sufficient for me.