Prevent communication between vlans with rfc1918

Started by process, September 15, 2022, 11:00:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 15, 2022, 11:00:19 PM
I made a firewall alias rfc1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). So of my understanding if we take 192.168.0.0/24 is that this alias/rule apply if any destionation is in the 192.168.x.x range?

I tried to be in separat vlans and ping between them and nothing went trough, good.
But I tried as well to be in the same vlan, but in that case I couldn't ping them either. And that is something I want to do. It feels like this is correct since in the vlan itself are within the 192.168.x.x range ofc. So that's seems logical. But in mac telecoms youtube video, https://www.youtube.com/watch?v=CDUyMpBC8bw&t=722s it sounds as it only should be between networks. Is it me that doing something wrong?

I'm in a testlab so my wan is 192.168.73.1. Does it matter for this?
September 16, 2022, 12:28:55 AM #1
Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.
September 16, 2022, 10:55:44 PM #2
Quote from: Demusman on September 16, 2022, 12:28:55 AM
Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.

Ok intresting, didn't know that. However the problem was that my computers had a network profile that were preventing others from see me.

Regarding that subnet doesn't go trough the firewall, in that case it's impossible on a network level to prevent every device on a vlan to see other devices on the same vlan?
September 17, 2022, 12:33:07 AM #3
Quote from: process on September 16, 2022, 10:55:44 PM
Regarding that subnet doesn't go trough the firewall, in that case it's impossible on a network level to prevent every device on a vlan to see other devices on the same vlan?
Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...

It all depends on your specific requirements.

If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 17, 2022, 04:18:01 AM #4 Last Edit: September 17, 2022, 04:19:58 AM by Demusman
Quote from: process on September 16, 2022, 10:55:44 PM
Ok intresting, didn't know that. However the problem was that my computers had a network profile that were preventing others from see me.

Think about it. Do you need a router to connect devices to each other??
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.


Impossible for devices to see each other on the same subnet... as stated above, nit impossible but needs a lot of work.
September 30, 2022, 10:28:53 PM #5
Quote from: pmhausen on September 17, 2022, 12:33:07 AM
Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...

It all depends on your specific requirements.

If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.

HTH,
Patrick
The managed switch is on its way. Not for this purpose but at least I have the posibility to use it for this as well if I want to. But perhaps more vlan's could be an option, or that is what I mainly will use. But more or less what I were thinking of was the IoT vlan. Really no point of make it possible for some of the devices/brands to have the posibility to talk to other brands. For an example, a smart light button doesn't need to talk to a smart vacium cleaner.
But perhaps you just make it to complex because the next day you want to have an light turned on when to vacium cleaner drives around (or what ever..). Only an example, I don't even own a smart vacium cleaner :)

Quote from: Demusman on September 17, 2022, 04:18:01 AM
Think about it. Do you need a router to connect devices to each other??
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.
Yep that's a good point!
November 05, 2022, 09:47:56 AM #6
I've enabled RFC1918 and it works. But I got another issue, if I'm connection for an exampel my phone to that vlan that have this firewall rule I loose internet connection and the log writes out that it blocked those onse and similar with the different destination port.
My vlan is 192.168.30.x and as you can see my phone is 192.168.30.10. Should I make a rule and enable 192.168.30.1 for udp?





SourceDestinationProto
192.168.30.10:3712192.168.30.1:53udp
192.168.30.10:13311192.168.30.1:53udp

November 05, 2022, 12:14:02 PM #7
Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.

This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.
November 05, 2022, 12:46:13 PM #8
Quote from: Demusman on November 05, 2022, 12:14:02 PM
Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.

This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.

Perhaps it's good to enable logging for that rule, so I know if there are any blocks that shouldn't be blocked.

See my attachment.
November 05, 2022, 02:26:07 PM #9
Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.
November 05, 2022, 02:38:34 PM #10
Quote from: Demusman on November 05, 2022, 02:26:07 PM
Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

Yea, I'll change to home30 addresses instead. Is it really neceassary to add http and https to that port alias? since internet works when port 53 is enabled?
November 05, 2022, 03:39:21 PM #11
Not at all for that usage, but aliases can be used for many different things so having one that contains multiple ports can come in handy in other places and won't hurt anything.

Just so you know, the internet is working from your last rule, 53 just resolves addresses.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.
November 05, 2022, 04:06:39 PM #12
Quote from: Demusman on November 05, 2022, 03:39:21 PM
Just so you know, the internet is working from your last rule, 53 just resolves addresses.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.
Yea I did notice that internet worked :) I'm really thankful for all help and explanation. Since I'm not that confidente with firewalls, I need to double check or see that some one else did something similar.
For an example, rfc1918 did I see from some youtubers. But non of them opened any port afterwards so that's why I got a bit confused if I did the right thing.

However, thank you! :)
November 08, 2022, 11:00:57 PM #13
Quote from: Demusman on November 05, 2022, 02:26:07 PM
Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

I got a block from 192.168.30.10:49314 (phone) to destination 192.168.30.1:853 becasue of the rfc1918 block rule. It seems to be a DNS query again so I guess this should be opened.
Or if I change the argument, is this a request in to another vlan? No it isn't! Then open it... could be a valid statement to use to know if those request should be opened or not?

Another solution is maybe to allow all 192.168.30.1 (gateway) request instead of opening those specific ports?
November 08, 2022, 11:10:49 PM #14
Another block from my rfc198 rule was from my computer to destionation 192.168.30.255:137 (udp). I guess that this should be allowed as well? As I said previously, the point is not to block internal sub network / in the own vlan requests.

By the way, is 192.168.30.255 used to communicate to the hole network?
Print
Go Up Pages1
User actions