Show Posts
1
General Discussion / Re: Best Practices with VLANs, which to assign to LAN Interface?
« on: September 23, 2022, 07:58:47 pm »
I'm just going to go start to finish, to bear with me if I am just going on about things you already know or have setup. I see a lot of confusion on various subreddits about VLANs and their setup.
The interface assignments look fine, rules are applied on the interface they sit as they enter the interface, inbound. So a device on your LAN will be filtered by rules on the LAN interface. For your VLANs you allow or block traffic from the net and into the firewall interface on their respective tabs. To allow the server VLAN access to the internet but not say seccam, you would put allow/block rules on the server VLAN only. No need to put rules anywhere else for the server VLAN, the only exception being floating rules but they aren't needed for a basic setup.
As for the VLANs, I assume you are using a switch, not just a bunch of interfaces on the firewall. You need to setup vlans on the switch. The attached picture for example is my main switch, I have VLANs setup for those I am actually using currently. I am in the process of reconfiguring my network and in order to add another vlan on the firewall I must login to the switch and add it here. Otherwise the switch will not tag anything and you will only see untagged traffic entering the firewall and it will also allow traffic between untagged ports on the switch, or trunk ports where untagged traffic is allowed. Some switches also have the ability to route VLANs internally, you'll not want to enable this. It should be disabled by default, but it will completely bypass the firewall if enabled.
I think you mentioned this already being setup, which prevents interVLAN routing on the switch itself, it must traverse the firewall. It doesn't have to exit and enter the WAN, just enter the VLAN interface and travel to the next. As far as default VLAN for LAN. I don't use VLAN1 for anything, but I have never seen outside a testing lab where VLAN hopping has happened.
The interface assignments look fine, rules are applied on the interface they sit as they enter the interface, inbound. So a device on your LAN will be filtered by rules on the LAN interface. For your VLANs you allow or block traffic from the net and into the firewall interface on their respective tabs. To allow the server VLAN access to the internet but not say seccam, you would put allow/block rules on the server VLAN only. No need to put rules anywhere else for the server VLAN, the only exception being floating rules but they aren't needed for a basic setup.
As for the VLANs, I assume you are using a switch, not just a bunch of interfaces on the firewall. You need to setup vlans on the switch. The attached picture for example is my main switch, I have VLANs setup for those I am actually using currently. I am in the process of reconfiguring my network and in order to add another vlan on the firewall I must login to the switch and add it here. Otherwise the switch will not tag anything and you will only see untagged traffic entering the firewall and it will also allow traffic between untagged ports on the switch, or trunk ports where untagged traffic is allowed. Some switches also have the ability to route VLANs internally, you'll not want to enable this. It should be disabled by default, but it will completely bypass the firewall if enabled.
I think you mentioned this already being setup, which prevents interVLAN routing on the switch itself, it must traverse the firewall. It doesn't have to exit and enter the WAN, just enter the VLAN interface and travel to the next. As far as default VLAN for LAN. I don't use VLAN1 for anything, but I have never seen outside a testing lab where VLAN hopping has happened.