One book I have no issues recommending is ..........
As for vlan separation. by putting your subnets (lans) onto vlans they are naturallly separated at layer two.
However they can still be reached through layer 3 (aka routing by your router).
To stop this L3 connection you need to use firewall rules.
The most efficient way to do this is NOT to make a rule for everything you want to block - to tedious and messy.
MUCH BETTER is to
a. state explicitly traffic you wish to allow, followed by a one and simple rule
b. drop everything else.
So besides the normal default rules which are perfectly fine, thankyou MT, to get started on the internet safely - you should add the following.
(forward chain for example).
Standard default rules
NEW RULES FOR VLAN
NEW RULES FOR VLANS may include
allow vlan 1 and vlan2 to internet (notice we do not specifically allow vlan3 to access internet)
allow admin access to vlans 1,2,3 (allow admin to access any device on any vlan)
allow vlan1 and vlan2 users access to a specific vlan IP address on vlan3 (shared printer)
chain=forward action=drop comment="Drop all else"
Final Comments: From the above we have stated what we wish to allow and thus anything else is dropped. So there will no routing in general allowed between the VLANs, this traffic will be dropped. We did allow vlan1 and vlan2 access to the internet. When vlan3 users attempt to access the internet that traffic will be dropped by the last rule. We did state allow the admin access to the vlans and we did state allow vlan1 and vlan2 users to access a printer on vlan3. Since those are stated before the last rule these specific actions will be permitted. Clean, clear and simple.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)