New Member
Posts: 10
Registered: ‎08-03-2016
Kudos: 1
Solutions: 1
Accepted Solution

Subnet segregation using ER-X Firewall

[ Edited ]

Hey all,

 

I'm trying to segregate subnets on my network using the ERX firewall. I have some VLAN-aware switches, and set up the ERX as vlan-aware on its switch0 interface. Routing between the subnet works.

 

I need the subnets to get out to the Internet via NAT, but not be able to talk to each other. I think I understand the concept and that it's straightforward enough to do by setting some drop rules in my "LAN_IN" firewall, but I'm missing something, because I'm not getting it. 

 

Here's the switch configuration on the ERX:

Spoiler
will@Hogwarts# show interfaces switch switch0 
 firewall {
     in {
         name LAN_IN
     }
     out {
         name LAN_OUT
     }
 }
 mtu 1500
 switch-port {
     interface eth1 {
         vlan {
             pvid 1
             vid 2
             vid 3
         }
     }
     interface eth2 {
         vlan {
             pvid 1
             vid 2
             vid 3
         }
     }
     interface eth3 {
         vlan {
             pvid 1
             vid 2
             vid 3
         }
     }
     interface eth4 {
         vlan {
             pvid 1
             vid 2
             vid 3
         }
     }
     vlan-aware enable
 }
 vif 1 {
     address 10.10.1.1/24
     mtu 1500
 }
 vif 2 {
     address 100.64.2.1/24
     mtu 1500
 }
 vif 3 {
     address 100.64.3.1/24
     mtu 1500
 }

 

Here is the NAT config:

Spoiler
will@Hogwarts# show service nat
 rule 5000 {
     log disable
     outbound-interface eth0
     protocol all
     source {
         address 10.10.1.0/24
     }
     type masquerade
 }
 rule 5200 {
     log disable
     outbound-interface eth0
     protocol all
     source {
         address 100.64.2.0/24
     }
     type masquerade
 }
 rule 5300 {
     log disable
     outbound-interface eth0
     protocol all
     source {
         address 100.64.3.0/24
     }
     type masquerade
 } 

 

At this point, I would expect the following firewall rule to block any traffic from a test machine on vlan3 holding 100.64.3.101 to a test machine on vlan2 holding 100.64.2.3:

 

Spoiler
will@Hogwarts# show firewall name LAN_IN 
 default-action accept
 description "Ruleset for incoming connections on the LAN interface"
 rule 200 {
     action drop
     description "Block comms from vlan2 to vlan3"
     destination {
         address 100.64.3.0/24
     }
     protocol all
     source {
         address 100.64.2.0/24
     }
 }
 rule 210 {
     action drop
     description "Block comms from vlan3 to vlan 2"
     destination {
         address 100.64.2.0/24
     }
     protocol all
     source {
         address 100.64.3.0/24
     }
 }

 

... but it doesn't:

 

root@DietPi:~# ip route sh
default via 100.64.3.1 dev eth0 
100.64.3.0/24 dev eth0  proto kernel  scope link  src 100.64.3.101 

root@DietPi:~# traceroute 100.64.2.3
traceroute to 100.64.2.3 (100.64.2.3), 30 hops max, 60 byte packets
 1  100.64.3.1 (100.64.3.1)  3.145 ms  2.805 ms  2.509 ms
 2  100.64.2.3 (100.64.2.3)  4.037 ms  3.773 ms  3.500 ms

What am I missing?

 

Thanks in advance!


Accepted Solutions
Veteran Member
Posts: 8,093
Registered: ‎03-24-2016
Kudos: 2125
Solutions: 929

Re: Subnet segregation using ER-X Firewall

You should apply the firewall In/OUT rules on the VIFs  under switch0,  not on switch0 itself.

 

Note these VLAN  interfaces are referenced under switch as "switch switch0 vif 3" , in other commands  (like NAT)  it's switch0.3

View solution in original post


All Replies
New Member
Posts: 10
Registered: ‎08-03-2016
Kudos: 1
Solutions: 1

Re: Subnet segregation using ER-X Firewall

UPDATE:

 

I can make the vlan segregation work if I create a firewall for each vif's "in" rule, e.g.:

 

will@Hogwarts# show firewall name VLAN2_IN 
 default-action accept
 description "Ruleset for packets coming in on the VLAN1 interface"
 rule 100 {
     action drop
     description "packets destined for vlan3"
     destination {
         address 100.64.3.0/24
     }
     protocol all
 }
[edit]
will@Hogwarts# show interfaces switch switch0 vif 2 firewall 
 in {
     name VLAN2_IN
 }

Is this the only way to make this segregation work?

Veteran Member
Posts: 8,093
Registered: ‎03-24-2016
Kudos: 2125
Solutions: 929

Re: Subnet segregation using ER-X Firewall

You should apply the firewall In/OUT rules on the VIFs  under switch0,  not on switch0 itself.

 

Note these VLAN  interfaces are referenced under switch as "switch switch0 vif 3" , in other commands  (like NAT)  it's switch0.3