Once switch1-cpu is involved in multiple Vlans for routing purpose, each Vlan can route to WAN by its own gateway
Doing so, also inter-vlan is automatically enabled but this is unwanted.
I've got to insert a filter rule on top of my forward ones :
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=accept connection-state=established,related
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24
(first one is the only position that deny inter-vlan traffic)
However, I need some host in a single Vlan to access all hosts in the other Vlans
I've tried many rules in many order but host to inter-vlan packets are always dropped: what's the rights syntax ? where I'm wrong???
Thank you
Manage inter-vlan connections
Last edited by OKNET on Thu Mar 09, 2017 4:54 pm, edited 1 time in total.
Re: Manage inter-vlan connections
Try
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=accept connection-state=established,related
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24
Re: Manage inter-vlan connections
Already tried. It doesn't work.
In this allow rule, packets counter increases while pinging a machine on another vlan but it increases as well on the next rule (the dropping one).
Any idea ?
In this allow rule, packets counter increases while pinging a machine on another vlan but it increases as well on the next rule (the dropping one).
Any idea ?
Re: Manage inter-vlan connections
Obviously, communication is a two way business. You are getting packets there but not back. Try adding a corresponding dst-address rule:Already tried. It doesn't work.
In this allow rule, packets counter increases while pinging a machine on another vlan but it increases as well on the next rule (the dropping one).
Any idea ?
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan dst-address=allo.wed.host.ip
Re: Manage inter-vlan connections
You're right, I must allow packets in both directions
It works , thanks
It works , thanks
Re: Manage inter-vlan connections
Sorry, I missed rule order:
even better:
I understood that single host should be the one able to connect to the others, that is, initiate the connections and not viceversa; with your suggested ruleset other vlan hosts can initiate connections to allo.wed.host.ip with no restrictions.
Code: Select all
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip
chain=forward action=accept connection-state=established,related
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24
Code: Select all
chain=forward action=accept in-interface=all-vlan out-interface=all-vlan src-address=allo.wed.host.ip connection-state=new
chain=forward action=accept connection-state=established,related
chain=forward action=drop in-interface=all-vlan out-interface=all-vlan
chain=forward action=drop connection-state=invalid
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=pppoe-out1
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24
@sid5632:However, I need some host in a single Vlan to access all hosts in the other Vlans
I understood that single host should be the one able to connect to the others, that is, initiate the connections and not viceversa; with your suggested ruleset other vlan hosts can initiate connections to allo.wed.host.ip with no restrictions.
Re: Manage inter-vlan connections
Agreed.I understood that single host should be the one able to connect to the others, that is, initiate the connections and not viceversa; with your suggested ruleset other vlan hosts can initiate connections to allo.wed.host.ip with no restrictions.
Re: Manage inter-vlan connections
Confirm, new order , it works !