Hi,
Hi, I need help to solve an issue with a firewall -> filter
Network diagram
I want to set up the following:
+ Vlan 10,11,12 are not connected to each other.
+ Host vlan 11 connected with server vlan 10
+ Host vlan 11 connected with range vlan 12 (ex: 192.168.12.100-192.168.12.200)
Tks u !
-
-
beginer0504
just joined
- Posts: 20
- Joined:
Firewall filter rules CCR-1009
You do not have the required permissions to view the files attached to this post.
Re: Firewall filter rules CCR-1009
allow the connections first, and then block all other inter-vlan traffic.
so you set up filter rule on forward chain,
allow traffic from vlan 11 to server vlan 10
allow traffic from vlan 11 to address list (do this in ip firewall address lists) that contains 192.168.12.100-192.168.12.200
drop all traffic from vlan 11 to 10 and 12 by drop everything except when it is going to the WAN interface. something like
do the same for Vlan 10
do the same for valn12
I think this should do what you need.
so you set up filter rule on forward chain,
allow traffic from vlan 11 to server vlan 10
allow traffic from vlan 11 to address list (do this in ip firewall address lists) that contains 192.168.12.100-192.168.12.200
drop all traffic from vlan 11 to 10 and 12 by drop everything except when it is going to the WAN interface. something like
Code: Select all
add chain=forward in-interface=vlan_11 out-interface-list=!WAN action=drop
do the same for valn12
I think this should do what you need.
-
-
beginer0504
just joined
- Posts: 20
- Joined:
Re: Firewall filter rules CCR-1009
Thank you, I will try and report the resultsallow the connections first, and then block all other inter-vlan traffic.
so you set up filter rule on forward chain,
allow traffic from vlan 11 to server vlan 10
allow traffic from vlan 11 to address list (do this in ip firewall address lists) that contains 192.168.12.100-192.168.12.200
drop all traffic from vlan 11 to 10 and 12 by drop everything except when it is going to the WAN interface. something likedo the same for Vlan 10Code: Select alladd chain=forward in-interface=vlan_11 out-interface-list=!WAN action=drop
do the same for valn12
I think this should do what you need.
Re: Firewall filter rules CCR-1009
remember to keep your "allow established and related" filter rule on the top.
This ensure the return traffic from one VLAN to another is not dropped.
This ensure the return traffic from one VLAN to another is not dropped.
Re: Firewall filter rules CCR-1009
I would have a different approach.
Concur with logic its not wrong.
My last forward rule is
action drop (drop all else).
add action=drop chain=forward
Therefore one only needs to state explicitly what is allowed.
add action=allow in-interface=vlan11 dst-address=vlan10serverIP (192.168.10.10?)
add action=allow in-interface=vlan11 dst-address-list=allowedvlan12range
add address=192.168.12.100-192.168.12.200 list=allowedvlan12range (in ip firewall address list)
Concur with logic its not wrong.
My last forward rule is
action drop (drop all else).
add action=drop chain=forward
Therefore one only needs to state explicitly what is allowed.
add action=allow in-interface=vlan11 dst-address=vlan10serverIP (192.168.10.10?)
add action=allow in-interface=vlan11 dst-address-list=allowedvlan12range
add address=192.168.12.100-192.168.12.200 list=allowedvlan12range (in ip firewall address list)
Who is online
Users browsing this forum: Amazon [Bot] and 61 guests