Page 1 of 1

Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Sun Jan 13, 2013 8:53 am
by infused
Hi Guys,

I have a bridge for trunking, bri-trunk. I have added 5 vlans to the bridge to trunk to vmware. This works fine, however, I can access all vlans from all vlans. If that makes sense. How can I block traffic between vlans? Is there a better way to do this?

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Sun Jan 13, 2013 8:47 pm
by samsung172
It make sense if you put vlans to a bridge. Then you bridge the vlans together. Put vlan to the Interface pointing to vmware. Not to a bridge. And tag in vmware.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Sun Jan 13, 2013 9:11 pm
by infused
If you put vlans to the interface, you get the same behavior.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Sun Jan 13, 2013 9:14 pm
by samsung172
then you somhow bridge them in Vmware switch etc.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Sun Jan 13, 2013 9:15 pm
by samsung172
Btw, its also possible that you have a route between Your vlan's, and that the traffic are routed.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Mon Jan 14, 2013 3:19 am
by infused
Correct. When added to bridge or ethernet port, they are routed. That's what I am trying to stop.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Mon Jan 14, 2013 3:25 am
by rjickity
You must add a firewall filter on the forward chain to that interface to stop your traffic then

Sent from my GT-I9100 using Tapatalk

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Mon Jan 14, 2013 7:53 am
by infused
So what's the easiest rule to add then?

I have 3 vlans.

Lets just say vlaid 1001,1002,1003

1001: 10.1.1.1/24
1002: 10.1.2.1/24
1003: 10.1.3.1/24

Is there a simple rule I can add to each to ensure that they cannot communicate with each other. I plan to have a lot of vlans,

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Mon Jan 14, 2013 4:44 pm
by CelticComms
The router will route (forward) all traffic unless you stop it in the forwarding filters.

You can start with a simple rule in the forwarding chain with action=drop. Then add rules above it with action="accept" for any traffic that you actually want to forward.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Mon Jan 14, 2013 8:26 pm
by infused
Yes. Do you have an example based on my info above?

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Thu Jan 24, 2013 9:06 pm
by zyflex
Yes. Do you have an example based on my info above?
Try this in ip firewall filter:
chain=forward action=drop in-interface=VLAN1001 out-interface=!ether1-gateway

Then the traffic on VLAN1001 is only allowed to access your ether1 port.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Tue Jan 29, 2013 1:17 am
by samsung172
If you put vlans to the interface, you get the same behavior.
No. You get the same behavior at l3 (routed) but you dont bridge the vlans together (l2)

Eg, when you put vlans to bridge, you will find all the other units's mac addresses. If you put to a Interface, you will not. ITs also possible to to a lot bad stuf, when put all vlan to one bridge. Then its no reasion to use the vlan's. Better to just add all ip to the Interface.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Tue Jan 29, 2013 3:17 am
by che
Hi Guys,

I have a bridge for trunking, bri-trunk. I have added 5 vlans to the bridge to trunk to vmware.
Have you tried adding VLANs on the bridge interface, not as bridge port, and bridging physical interfaces? That way you will keep VLAN isolation as you intended and their availability on all physical interfaces you added to the bridge.

Re: Trunking Vlans to VMWare (Block VLAN->VLAN traffic)

Posted: Tue Jan 29, 2013 3:37 am
by CelticComms
Yes. Do you have an example based on my info above?
Go into /IP Firewall and add a filter in the forwarding chain with nothing selected except Action=Drop.

At that point no traffic will be routed between interfaces at level 3. You may then want to add specific rules *above* that "drop all" rule with specific traffic that *is* to be forwarded - e.g. by specifying specific interfaces, IP ranges etc.