Prevent communication between vlans with rfc1918

[process]

I made a firewall alias rfc1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). So of my understanding if we take 192.168.0.0/24 is that this alias/rule apply if any destionation is in the 192.168.x.x range?

I tried to be in separat vlans and ping between them and nothing went trough, good.
But I tried as well to be in the same vlan, but in that case I couldn't ping them either. And that is something I want to do. It feels like this is correct since in the vlan itself are within the 192.168.x.x range ofc. So that's seems logical. But in mac telecoms youtube video, https://www.youtube.com/watch?v=CDUyMpBC8bw&t=722s it sounds as it only should be between networks. Is it me that doing something wrong?

I'm in a testlab so my wan is 192.168.73.1. Does it matter for this?

[Demusman]

Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.

[process]

Traffic on the same subnet doesn't go through the firewall so, yup, you're doing something wrong.

Ok intresting, didn't know that. However the problem was that my computers had a network profile that were preventing others from see me.

Regarding that subnet doesn't go trough the firewall, in that case it's impossible on a network level to prevent every device on a vlan to see other devices on the same vlan?

[Patrick M. Hausen]

Regarding that subnet doesn't go trough the firewall, in that case it's impossible on a network level to prevent every device on a vlan to see other devices on the same vlan?

Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...

It all depends on your specific requirements.

If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.

HTH,
Patrick

[Demusman]

Ok intresting, didn't know that. However the problem was that my computers had a network profile that were preventing others from see me.

Think about it. Do you need a router to connect devices to each other??
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.


Impossible for devices to see each other on the same subnet... as stated above, nit impossible but needs a lot of work.

[process]

Exactly. Unless you use a managed switch with filtering features. There are various mechanisms on various protocol levels. Like deciding who gets a connection at all (802.1x), automatic assignment of VLAN based on MAC address (VMPS), MAC address filtering, static ARP/ND, IP based filtering, ...

It all depends on your specific requirements.

If your main tool is a layer 3 firewall, the tried and true approach is to put all devices that share the same policy in the same network, e.g. a VLAN. Use as many networks as necessary. Separate devices of different trust levels.

HTH,
Patrick

The managed switch is on its way. Not for this purpose but at least I have the posibility to use it for this as well if I want to. But perhaps more vlan's could be an option, or that is what I mainly will use. But more or less what I were thinking of was the IoT vlan. Really no point of make it possible for some of the devices/brands to have the posibility to talk to other brands. For an example, a smart light button doesn't need to talk to a smart vacium cleaner.
But perhaps you just make it to complex because the next day you want to have an light turned on when to vacium cleaner drives around (or what ever..). Only an example, I don't even own a smart vacium cleaner

Think about it. Do you need a router to connect devices to each other??
Nope, a switch will do that.
A router connects a subnet to other subnets.
So if you don't need to :leave: the subnet you're on, no router needed.

Yep that's a good point!

[process]

I've enabled RFC1918 and it works. But I got another issue, if I'm connection for an exampel my phone to that vlan that have this firewall rule I loose internet connection and the log writes out that it blocked those onse and similar with the different destination port.
My vlan is 192.168.30.x and as you can see my phone is 192.168.30.10. Should I make a rule and enable 192.168.30.1 for udp?

Source	Destination	Proto
192.168.30.10:3712	192.168.30.1:53	udp
192.168.30.10:13311	192.168.30.1:53	udp

[Demusman]

Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.

This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.

[process]

Port 53 is dns.
You didn't lose internet, you lose name resolution.
Blocking all of rfc1918 will do that, just put a rule above the block to allow each vlan to "this firewall" on port 53.

This also depends on your exact rules as you may be blocking other services that are required.
You should post an image of your exact rules.

Perhaps it's good to enable logging for that rule, so I know if there are any blocks that shouldn't be blocked.

See my attachment.

[Demusman]

Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

[process]

Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

Yea, I'll change to home30 addresses instead. Is it really neceassary to add http and https to that port alias? since internet works when port 53 is enabled?

[Demusman]

Not at all for that usage, but aliases can be used for many different things so having one that contains multiple ports can come in handy in other places and won't hurt anything.

Just so you know, the internet is working from your last rule, 53 just resolves addresses.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.

[process]

Just so you know, the internet is working from your last rule, 53 just resolves addresses.
IOW, if you knew the IP address of every website you wanted to visit, you wouldn't need the DNS rule and you'd still have internet. Just letting you know for informative reasons.

Yea I did notice that internet worked I'm really thankful for all help and explanation. Since I'm not that confidente with firewalls, I need to double check or see that some one else did something similar.
For an example, rfc1918 did I see from some youtubers. But non of them opened any port afterwards so that's why I got a bit confused if I did the right thing.

However, thank you!

[process]

Home30 Address would make more sense as the destination for DNS but personal choice I guess.
No need to make a Port53 alias, DNS is listed in the port dropdown.
Since you made the alias, you may want to expand it for other ports.
I have an Internet_Ports Alias that I use for my Guest network and others, it contains http, https, dns, and ntp.
If you sync time on Home30, you'll need port 123 also.

I got a block from 192.168.30.10:49314 (phone) to destination 192.168.30.1:853 becasue of the rfc1918 block rule. It seems to be a DNS query again so I guess this should be opened.
Or if I change the argument, is this a request in to another vlan? No it isn't! Then open it... could be a valid statement to use to know if those request should be opened or not?

Another solution is maybe to allow all 192.168.30.1 (gateway) request instead of opening those specific ports?

[process]

Another block from my rfc198 rule was from my computer to destionation 192.168.30.255:137 (udp). I guess that this should be allowed as well? As I said previously, the point is not to block internal sub network / in the own vlan requests.

By the way, is 192.168.30.255 used to communicate to the hole network?