New Member
Posts: 11
Registered: ‎11-13-2013
Kudos: 17
Solutions: 1

Blocking a vLan from a Lan

I've tried various forms of blocking this vLan from the lan, and regardless of how I try it still refuses to work. What am I doing wrong here?

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Guest_WIFI {
        default-action accept
        description ""
        rule 1 {
            action drop
            description "Drop vLan"
            log disable
            protocol all
            source {
                group {
                    address-group NETv4_eth1.20
                }
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 1 {
            action accept
            description "Allow established / related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established / related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.50.1/24
        description LAN
        duplex auto
        firewall {
            in {
                name Guest_WIFI
            }
        }
        speed auto
        vif 20 {
            address 10.0.51.1/24
            mtu 1500
        }
    }

 

Regular Member
Posts: 454
Registered: ‎03-01-2016
Kudos: 112
Solutions: 45

Re: Blocking a vLan from a Lan

[ Edited ]

There's a combination of things - mainly that I think you're getting confused on the interfaces/directions that are referenced in the firewall rules.  Think of the interface that you specify in the firewall settings as where the traffic is coming FROM, not where it is going (that's the out/in/local part). 

Try this:
-New ruleset, default action Accept
-Rule 1: Drop all traffic with destination 10.0.50.0/24
-Apply to eth1.20 in the In direction

With a slight tweak, you can also block connections from the Guest VLAN to the main LAN but allow connections in the other direction, not sure if you want that though.

You can also create similar rules in the Local direction if you want to restrict access to the router from the guest interface, but there are a few other considerations. If you're interested I can give a crash course on how to do that too.