Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

infused · January 13, 2013, 6:53am

Hi Guys,

I have a bridge for trunking, bri-trunk. I have added 5 vlans to the bridge to trunk to vmware. This works fine, however, I can access all vlans from all vlans. If that makes sense. How can I block traffic between vlans? Is there a better way to do this?

samsung172 · January 13, 2013, 6:47pm

It make sense if you put vlans to a bridge. Then you bridge the vlans together. Put vlan to the Interface pointing to vmware. Not to a bridge. And tag in vmware.

infused · January 13, 2013, 7:11pm

If you put vlans to the interface, you get the same behavior.

samsung172 · January 13, 2013, 7:14pm

then you somhow bridge them in Vmware switch etc.

samsung172 · January 13, 2013, 7:15pm

Btw, its also possible that you have a route between Your vlan’s, and that the traffic are routed.

infused · January 14, 2013, 1:19am

Correct. When added to bridge or ethernet port, they are routed. That’s what I am trying to stop.

rjickity · January 14, 2013, 1:25am

You must add a firewall filter on the forward chain to that interface to stop your traffic then

Sent from my GT-I9100 using Tapatalk

infused · January 14, 2013, 5:53am

So what’s the easiest rule to add then?

I have 3 vlans.

Lets just say vlaid 1001,1002,1003

1001: 10.1.1.1/24
1002: 10.1.2.1/24
1003: 10.1.3.1/24

Is there a simple rule I can add to each to ensure that they cannot communicate with each other. I plan to have a lot of vlans,

CelticComms · January 14, 2013, 2:44pm

The router will route (forward) all traffic unless you stop it in the forwarding filters.

You can start with a simple rule in the forwarding chain with action=drop. Then add rules above it with action=“accept” for any traffic that you actually want to forward.

infused · January 14, 2013, 6:26pm

Yes. Do you have an example based on my info above?

zyflex · January 24, 2013, 7:06pm

Try this in ip firewall filter:
chain=forward action=drop in-interface=VLAN1001 out-interface=!ether1-gateway

Then the traffic on VLAN1001 is only allowed to access your ether1 port.

samsung172 · January 28, 2013, 11:17pm

No. You get the same behavior at l3 (routed) but you dont bridge the vlans together (l2)

Eg, when you put vlans to bridge, you will find all the other units’s mac addresses. If you put to a Interface, you will not. ITs also possible to to a lot bad stuf, when put all vlan to one bridge. Then its no reasion to use the vlan’s. Better to just add all ip to the Interface.

che · January 29, 2013, 1:17am

Have you tried adding VLANs on the bridge interface, not as bridge port, and bridging physical interfaces? That way you will keep VLAN isolation as you intended and their availability on all physical interfaces you added to the bridge.

CelticComms · January 29, 2013, 1:37am

Go into /IP Firewall and add a filter in the forwarding chain with nothing selected except Action=Drop.

At that point no traffic will be routed between interfaces at level 3. You may then want to add specific rules above that “drop all” rule with specific traffic that is to be forwarded - e.g. by specifying specific interfaces, IP ranges etc.