Proper way to give internet access but not other VLAN access to some VLANs

Started by Pablo Fernandez, May 04, 2025, 10:16:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 04, 2025, 10:16:54 AM
Hello,

I have a few VLANs, nothing too complicated. Two of them are Main and IoT, the first one for my computers, the second for IoT devices. I want computers in Main to have access to everything, internet and IoT. I want IoT to have access to the internet, but not the Main VLAN. I want to do this in both IPv4 and IPv6. For IPv4 I get one IP from my ISP and then I use different private networks, for IPv6 I get a 48 prefix from my IP which I divided into 64 prefix for each VLAN. Note: I do have more VLANs and I expect to have more in the future, so having a non-error-prone set up is one of my goals.

For the Main VLAN I have single rule:

Action: pass
Direction: in
TCP/IP Version: IPv4+IPv6
Source: Main net
Source Port: *
Destination: *
Destination Port: *

Then I created two aliases:
  • LocalIPv4Networks: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
  • LocalIPv6Networks: XXXX:XXXX:XXXX::/48

where XXXX:XXXX:XXXX is the IPv6 prefix that my ISP assigned to me.

Then in IoT I have 3 rules:

Action: pass
Direction: in
TCP/IP Version: IPv4
Source: IoT net
Source Port: *
Destination: !LocalIPv4Networks
Destination Port: *

Action: pass
Direction: in
TCP/IP Version: IPv6
Source: IoT net
Source Port: *
Destination: !LocalIPv6Networks
Destination Port: *

Action: pass
Direction: in
TCP/IP Version: IPv4+IPv6
Source: *
Source Port: *
Destination: This Firewall
Destination port: 53
Destination Port: *

This works, but to me, it feels error prone. For example, if my ISP has a problem and gives me a different IPv6 prefix, suddenly IoT would have access to Main. It feels to me that these two things shouldn't be correlated.

I wish there was a way to specify a rule that IoT can go out of the WAN interface and only that interface. Listing things it doesn't get access to feels like denylisting instead of allowlisting.

Any ways I can improve that?

Thank you.
May 04, 2025, 10:28:31 AM #1
I do it a little differently:

1. Block all IPv4 from, say, IoT net to LocalIPv4Networks. This rule will only exist on non-privileged VLANs, not for LAN.
2. Allow all IP4v&IPv6 from any to any, giving outside access.

I do not have a specific IoT rule for IPv6 because why should I block IoT access more than I do from the WAN side?

Instead, I only block incoming IPv6 traffic, giving selected access to IPv6 ports on any VLAN via floating rules.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions