New Member
Posts: 11
Registered: ‎06-04-2014
Kudos: 1
Accepted Solution

Confused with source/destination parameter in firewall rule

Hi,

Here's my environment.

eth0 LAN1: 192.168.1.0/24

eth1 WAN

eth0 also have two VLANs: VLAN 10: 192.168.10.0/24, VLAN 20: 192.168.20.0/24

I'd like to eliminate cross VLAN communication. Both VLAN10 and VLAN20 is able to access internet (through its own gateway) but they two cannot talk to each other. Plus, I'd like my laptop (192.168.1.121) to be able to access two VLANs (One way direction, the connection can only be initialized by my laptop)

Here's my configuration which works but I don't understand why I should use 'destination' instead of 'source'. My understanding is "Applying a firewall ruleset to the IN firewall of an interface affect traffic inbound on that interface". In this case, if my laptop inialize a connection to VLAN10, why the destination is 192.168.1.121 (my laptop's IP)? Also for rule 20, if I'd like to drop connection from other VLANs, why should I use destination not source?

Thanks a lot.

ubnt@ubnt# show firewall name VLAN_IN
 default-action accept
 rule 10 {
     action accept
     destination {
         group {
             address-group ROUTER_IP
         }
     }
 }
 rule 15 {
     action accept
     description "henrys mbp"
     destination {
         address 192.168.1.121
     }
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action drop
     destination {
         group {
             network-group VLAN_NETS
         }
     }
     log enable
 }

 

ubnt@ubnt# show interfaces ethernet eth0
 address 192.168.1.1/24
 description Local
 duplex auto
 speed auto
 vif 10 {
     address 192.168.10.1/24
     description Console
     firewall {
         in {
             name VLAN_IN
         }
     }
 }
 vif 20 {
     address 192.168.20.1/24
     description DMZ
     mtu 1500
 }
ubnt@ubnt# show firewall group
 address-group ROUTER_IP {
     address 192.168.10.1
     address 192.168.20.1
 }
 network-group TRUST_LAN {
     description "Trusted LAN"
     network 192.168.1.0/24
 }
 network-group VLAN_NETS {
     network 192.168.10.0/24
     network 192.168.20.0/24
     network 192.168.1.0/24
 }

 

 


Accepted Solutions
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Confused with source/destination parameter in firewall rule

[ Edited ]

Think of IN as coming in to the router from the port/interface for routing to other networks by the router.

LOCAL is in to the router from the port/interface for communication with the router itself.

OUT is out of the router to the network which is connected to the port/interface.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5479
Solutions: 1656
Contributions: 2

Re: Confused with source/destination parameter in firewall rule

Yes, the VLAN_IN ruleset is applied to the "in" direction of VLAN 10 interface, which means those rules are applied to packets coming from the VLAN 10 network (source) to other networks (destination, in this case the 192.168.1.0/24 network on eth0). So the rule allowing packets going to 192.168.1.121 should work.

New Member
Posts: 11
Registered: ‎06-04-2014
Kudos: 1

Re: Confused with source/destination parameter in firewall rule

Thanks, ancheng. So IN means the direction from VLAN10 to outside network. (I was wrong about that at the beginning)

There's no OUT ruleset for VLAN10. Why other clients in LAN1 192.168.1.0/24 can't access VLAN10? Or in ther words, they can but VLAN10 cannot respond due to no destination (other than router ip or 192.168.1.121) is allowed

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 388
Solutions: 40

Re: Confused with source/destination parameter in firewall rule

[ Edited ]

Think of IN as coming in to the router from the port/interface for routing to other networks by the router.

LOCAL is in to the router from the port/interface for communication with the router itself.

OUT is out of the router to the network which is connected to the port/interface.

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5479
Solutions: 1656
Contributions: 2

Re: Confused with source/destination parameter in firewall rule


@henryzhou wrote:

There's no OUT ruleset for VLAN10. Why other clients in LAN1 192.168.1.0/24 can't access VLAN10? Or in ther words, they can but VLAN10 cannot respond due to no destination (other than router ip or 192.168.1.121) is allowed


Yeah that's right, you got it!