Greetings.
I am setting up VLAN Isolation on my router. I want 100% complete isolation between each VLAN except for any inter-VLAN connection that has been NATed.
I do not want any device on any VLAN Network to be able to connect to or even Ping an IP on another VLAN unless there is a NAT Rule allowing that connection.
I also do not want devices to be able to communicate with the Router's IP address on different VLAN.
My PC IP:
---192.168.100.100 - on VLAN 100 (Home)
My Router's IPs:
---192.168.100.1 - VLAN 100 (Home)
---192.168.150.1 - VLAN 200 (Work)
---192.168.200.1 - VLAN 300 (Security)
---192.168.250.1 - VLAN 1 (Management)
I have Address Lists containing the entire network for each Vlan (including the Router's IP addresses).
If my PC (192.168.100.100) pings the router, i want it to ONLY be able to communicate with the router at 192.168.100.1, but be denied communication at 192.168.150.1, 192.168.200.1, and 192.168.250.1.
Below are my Input Firewall rules that I have created to attempt to stop devices from being able to communicate with the router's IP that isnt on the same VLAN. Unfortunately they do not work and my PC can ping and access the Vband still.
add action=drop chain=input comment="Home Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Home Network" src-address-list="!Home Network"
add action=drop chain=input comment="Work Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Work Network" src-address-list="!Work Network"
add action=drop chain=input comment="Security Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Security Network" src-address-list="!Security Network"
add action=drop chain=input comment="Management Network Router Isolation Not NATed" \
connection-nat-state=!srcnat,dstnat connection-state=new dst-address-list=\
"Management Network" src-address-list="!Management Network"
Can anyone assist in identifying where my Firewall rules have gone wrong?