Hello,
I have a few VLANs, nothing too complicated. Two of them are Main and IoT, the first one for my computers, the second for IoT devices. I want computers in Main to have access to everything, internet and IoT. I want IoT to have access to the internet, but not the Main VLAN. I want to do this in both IPv4 and IPv6. For IPv4 I get one IP from my ISP and then I use different private networks, for IPv6 I get a 48 prefix from my IP which I divided into 64 prefix for each VLAN. Note: I do have more VLANs and I expect to have more in the future, so having a non-error-prone set up is one of my goals.
For the Main VLAN I have single rule:
Action: pass
Direction: in
TCP/IP Version: IPv4+IPv6
Source: Main net
Source Port: *
Destination: *
Destination Port: *
Then I created two aliases:
- LocalIPv4Networks: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
- LocalIPv6Networks: XXXX:XXXX:XXXX::/48
where XXXX:XXXX:XXXX is the IPv6 prefix that my ISP assigned to me.
Then in IoT I have 3 rules:
Action: pass
Direction: in
TCP/IP Version: IPv4
Source: IoT net
Source Port: *
Destination: !LocalIPv4Networks
Destination Port: *
Action: pass
Direction: in
TCP/IP Version: IPv6
Source: IoT net
Source Port: *
Destination: !LocalIPv6Networks
Destination Port: *
Action: pass
Direction: in
TCP/IP Version: IPv4+IPv6
Source: *
Source Port: *
Destination: This Firewall
Destination port: 53
Destination Port: *
This works, but to me, it feels error prone. For example, if my ISP has a problem and gives me a different IPv6 prefix, suddenly IoT would have access to Main. It feels to me that these two things shouldn't be correlated.
I wish there was a way to specify a rule that IoT can go out of the WAN interface and only that interface. Listing things it doesn't get access to feels like denylisting instead of allowlisting.
Any ways I can improve that?
Thank you.