Jump to content


Photo

Vlan to Vlan Restrict communication between specific IP addresses

Vlan firewall configuration

  • Please log in to reply
2 replies to this topic

#1 Darol Byrne

Darol Byrne
  • Members
  • 2 posts

Posted 30 January 2019 - 06:54 PM

Multiple Vlan environment. Lets say Vlan A, Vlan B, Vlan C

Want a single IP on Vlan A to only communicate with a single IP on Vlan C and not be able to communicate with Vlan B.

I'm sure it's a firewall thing but not sure how to set it up.

Ideas?



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 417 posts
  • LocationNottingham, UK

Posted 31 January 2019 - 02:48 AM

The way I would do it personally is to set up a rule somewhere near the top of the ruleset (since the ruleset is evaluated top-to-bottom, you need your more specific rule to come before any generic "allow all" rules). This rule should have

 

Source: Your single IP on VLAN A

Service: whatever you want

Destination: Your single IP on VLAN C

Connection Method: Probably "Original IP" but depends on your network

 

Then under Views/Advanced in the Rule Editor window, change the Destination Rule Mismatch Policy to "Block on mismatch".

 

This isn't the most intuitive feature, and it's a bit hidden away, but the end result is that because the source address (your computer on VLAN A) matches, that rule is evaluated as a match. However the destination doesn't match - with the default "Continue on mismatch" destination action this would cause the firewall to continue down the ruleset looking for other rules which may match. But by changing this action to "Block on mismatch", since the destination doesn't match the traffic is blocked immediately. skipping the rest of the ruleset.



#3 Darol Byrne

Darol Byrne
  • Members
  • 2 posts

Posted 04 February 2019 - 01:58 PM

Thank you. That worked perfect. Can I add an additional twist?

I also want all other IP addresses on VLAN A to be blocked from VLAN B and VLAN C

Source: IP range .2 to .254

Service: any

Destination: Internet only through the VLAN A gateway

 

Would this to be adding a block rule after the rule I just built?