How to separate subnets from each other

Started by venomone, November 26, 2019, 09:49:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2019, 09:49:33 AM
Hello,

i have 3 subnets lets call them:

1. 192.168.10.0/24
2. 192.168.20.0/24
3. 192.168.30.0/24

but currently all clients of all 3 subnets can talk with each other which should not be possibe.
is there a config setting for this or can i only accomplish that by a firewall rule?
clients should only be able to talk on there very own subnet.

Kind regards and thanks for reading
November 26, 2019, 01:41:53 PM #1
Install three NICs and add each subnet to one NIC or define VLANs and buy an VLAN capable switch.

Then create an alias e.g. named Net_RFC1918 with content:

  • 192.168.0.0/16
  • 172.16.0.0/12
  • 10.0.0.0/8

Then add to each subnet this rule on top:
Code Select

Protocol Source Port Destination Port Gateway Schedule Description
IPv4+6 * * * Net_RFC1918 * * * Block RFC1918 traffic as destination

Now subnets cannot talk to each other (and future private subnets), except you add an exception above this rule. Rules to public IP addresses in existing rulesets won't be affected.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
November 26, 2019, 02:43:21 PM #2
Hello,

thx for your quick answere but for now this has changed nothing so far for me.
November 26, 2019, 03:05:16 PM #3
Let's do it the easy way:

You have three interfaces for your 3 subnets. Let's call them LAN, OPT1 and OPT2.

If LAN is  192.168.10.0/24 then put on top of the firewall rules for this interface (ABOVE the allow any any rule)

Block ipv4 source: any port: any destination: 192.168.20.0/24 port:any

and

Block ipv4 source: any port: any destination: 192.168.30.0/24 port:any

After applying the change, you should no longer be able to reach the .20.0 and .30.0 nets from LAN.

Then create comparable rules on the OPT1 and OPT2 firewall rule tabs...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 26, 2019, 03:10:34 PM #4
Quote from: venomone on November 26, 2019, 02:43:21 PM
Hello,

thx for your quick answere but for now this has changed nothing so far for me.

Did you add it as BLOCK/REJECT rule?
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
November 26, 2019, 03:24:04 PM #5
Yes i did.
November 26, 2019, 03:29:59 PM #6
Okay, got it working, my mistake was the rule sequence. i moved up the rule and the magic starts to happen
November 26, 2019, 03:34:47 PM #7
But what i still dont understand is that now all the traffic is blocked also within the same subnet. i want that each client from each subnet can talk to eachother and reach the internet trough the gateway/router.
November 26, 2019, 03:41:12 PM #8
Okay i already got, that @ all for your help
Print
Go Up Pages1
User actions