I have configured 3 VLANS, ID4, ID10 & ID20.
Default LAN 192.168.1.0/24= management
ID4 192.168.4.0/24=Home LAN
ID10 192.168.10/0/24=guest
ID20 10.0.20.0/24=IOT devices
For the default and home lan I will using the default fw rules.
I like to create a rule for guest and IOT no to have any access to the lan resource but only to internet.
I have attached few screenshots, I would really appreciate if someone can tell me what changes I need to tweak to block the access.
(https://lh3.googleusercontent.com/c9nnpMA3iPnWh4wVnX9kWVhAZiIaR2qfDUzBVcFY6DYnPTFRtGQtnGy_WjUsNzsexCPdtuN4Yz9zm1DxidSrFI8L_7LvJ4pGb8CsU-sNNYt9dR967IzIku6MxjClx_RXkkXH25Yb=w2400)
(https://lh3.googleusercontent.com/52XHVYkOxPVBb3O2svcbdi2mCliFOW8Ca4wzXCPfCDTLDeo1mH54ac72hxndE0CwBIoTEQo8yhsZWB20lMLh5OolqMjYvOhtNbcL82CI7ATzz1aBcqkhaelPrc0wnl5hBr9krE_f=w2400)
(https://lh3.googleusercontent.com/iRBVhJkAVgn6Z50KQmw26QbcGuG9TWmq76f1HiBq0EjkUBih1ncP9Uf-51MOVUI8CNam_HBK0tzVRWxnI6BqUBAskB10XsMdoo0smiRufk6NuhFRSjJq7I-J00SyRxXnBEDaAoy6=w2400)
Just create an alias with all RFC1918 networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
Add at the end of guest and iot rules add:
- block dst RFC1918
- allow dst all
Or make it one rule with:
allow dst not RFC1918
This example assumes you are not using any public ips for lan and no IPv6.
Quote from: hbc on April 25, 2020, 08:36:18 AM
Just create an alias with all RFC1918 networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
Add at the end of guest and iot rules add:
- block dst RFC1918
- allow dst all
Or make it one rule with:
allow dst not RFC1918
This example assumes you are not using any public ips for lan and no IPv6.
Thanks, works out lovely!!