Getting set up with VLANs

[BathToast]

Hey all,

So I'm getting things configured with VLANs and I'm still pretty new to networking, my specialty is in Hardware and Specialty Software, and I'm getting my home network all configured.

I've settled on a few VLANs to use for various things. Guest Network, IoT Network, Personal Network, Home Network, etc. Using the VLANs on their own subnets and dividing things up by security.

However, I'm looking at it now that I have all these VLANs set up to go over my LAGG Connection and.... do I even need my standard LAN Connection anymore? I have DHCP configured for everything else, and i plan on testing a device or two here really shortly on the Home VLAN's wifi, but if that works do I actually need to bother with the dedicated "LAN" connection?

Also I know I've pulled the rules for the VLANs over from the orginal LAN connection, and to my knowledge this allows objects on seperate VLANs to ping/talk to eachother and I'll need to shut that off which I will need a bit of direction on how to do.

but since each VLAN is now set up as an interface to the router across the LAGG, and they have rules to allow inbound traffic, i should be able to just kill the orginal LAN interface and configuring my switch accordingly?

TLDR: What I need to know is:

1) Once my VLANs Interfaces are set can I cut off the LAN Interface entirely with no issue/concequence
2) What Firewall rules do I need to set to isolate VLANs from eachother (Is there a way I can set specific VLANs to access other ones? (Such as my personal network to my servers)

[T-Rex]

Hey BathToast;

To question 1: - yes you can remove the original LAN interface, however I generally like to keep a (management) interface that is untagged in the event that things go sideways.  So you can plug into it with any ole ethernet and assign the IP address and manage the firewall if required. 

I also generally setup my (LAN) and rename it to (management) I do not set a gateway or anything but I maintain it for management and then have a Linux host that only responds with Private key authentication with an ssl forward to the firewall to lock down management of the firewall.  I am a bit paranoid.... having been a network engineer with emphasis on security for the last 20+ years created a lot of distrust.

As far as question 2 natively the bottom of all the interfaces should be an implicit deny that would deny traffic between VLAN's if you would prefer to put a deny with an any/any and log the traffic it will give you more visibility in that situation, which is generally something I do as I also send firewall logs to a local instance of splunk.

I realize this is a long response to answer your questions but I am hoping it has helped.

Thanks
Scott

[BathToast]

Scott,

Happy to hear back. I dont mind long posts at all! The more detail the better in my eyes.

Good to know that at the least. Currently i'm experiencing the issue where I'm able to ping things such as interfaces on other VLANs from my current network when i shouldnt be able to, and i Have pretty bare bones rules. I'm still getting used to all these rules and how they flow/operate so theres that.

I was able to at least remove my regular LAN and now my optional ones are running the network, but i may add it back in as an untagged Vlan for diagnosis like you mentioned, probably limit it to a physical port on the router itself since its running on a little R210 ii.

For the most part it looks like the rest will just be me getting used to how the rules are phrased and getting them set up.

Edit: This is embarassing, i just necro'd a post because i posted a new one similar to my old one! Whoops!

[twintailterror]

Hey BathToast;

To question 1: - yes you can remove the original LAN interface, however I generally like to keep a (management) interface that is untagged in the event that things go sideways.  So you can plug into it with any ole ethernet and assign the IP address and manage the firewall if required. 

I also generally setup my (LAN) and rename it to (management) I do not set a gateway or anything but I maintain it for management and then have a Linux host that only responds with Private key authentication with an ssl forward to the firewall to lock down management of the firewall.  I am a bit paranoid.... having been a network engineer with emphasis on security for the last 20+ years created a lot of distrust.

As far as question 2 natively the bottom of all the interfaces should be an implicit deny that would deny traffic between VLAN's if you would prefer to put a deny with an any/any and log the traffic it will give you more visibility in that situation, which is generally something I do as I also send firewall logs to a local instance of splunk.

I realize this is a long response to answer your questions but I am hoping it has helped.

Thanks
Scott

   would you be willing to share (with blocked out macs duh)  your rule set up ? im having such a freaking hard time i cannot find a video walkthoughs i find dont work  i ether get internet + all vlans or nothing at all period  i cannot seem to block vlans from talking but keep internet

should i block all local  then allow by network if so do i use.net or .address
also is the in really out?  im so freaking lost i have another post with pics. but im willing to share here to i have discord if your willing pls i really need help and im running out of time.  i have till the end of the month to finish and its the 15 o.o  next month at the best .  then i get new fiber and i have to vlan off 1 network for legal reasons so reallly need help.

TwinTailTerror#1818   is discord if u want to friend here is ok  w/e i dont care i just figure posting pics of my set up might be faster there.  also if  there is a discord for open sense i want a invite i cant find it.