Is there such a practice where I will allow forwarding in one direction to a VLAN. My case is I have a network which I want to isolate with a VLAN, except that it has a printer on it I want to print to. So I can reach into this network, but it can only reach WAN and not other VLANs. The only other caveat I can think of is that I won’t be able to broadcast to this network from my private VLAN
It’s the basic firewall config:
- accept established & related
- drop invalid
- accept from LAN to WAN
- accept from VLAN to WAN
- accept from LAN to printer in VLAN
…
X) block the rest
Access to printer will be allowed by 5), replies will be allowed by 1). New connection from VLAN to LAN will be blocked by X). The key to this is 1) being at the beginning. Even if you have different firewall, e.g. where you specifically block VLAN to LAN instead of unconditional blocking at the end, just remember that 1) must be before the blocking rule.
perfect thankyou!