Reply
New Member
Posts: 5
Registered: ‎11-28-2017
Accepted Solution

four isolated vlans

[ Edited ]

Hi Ubiquiti Community!

I have read this article:

https://help.ubnt.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Protect-a-Guest-Network-on-EdgeR...

 

I have an edgerouter x. I wish to configure 4 separate vlans, and none of the vlans should be able to talk to each other.

 

eth0 = wan/internet

 

switch0.10 = vlan10

switch0.11 = vlan11

switch0.12 = vlan12

switch0.13 = vlan13

 

vlan10 = 10.1.10.0/24

vlan11 = 10.1.11.0/24

vlan12 = 10.1.12.0/24

vlan13 = 10.1.13.0/24

 

eth1, eth2, eth3, eth4 = pvid vlan 10, vid 11, vid 12, vid 13

 

The vlan setup seems to work. I have 4 dhcp servers, and they all give ip addresses in the correct subnets.

 

Right now I am trying to apply the firewall rules to only one vlan, vlan11, but i can still ping a host on vlan 11, from vlan 10.

 

When done, I would like to repeat this to all 4 vlans.

I do have some ports that need forwarded onto some hosts inside only vlan10.

 

thank you for your advice! Man Happy

 

 show interfaces

 

ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth2 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth3 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
interface eth4 {
vlan {
pvid 10
vid 11
vid 12
vid 13
}
}
vlan-aware enable
}
vif 10 {
address 10.1.10.1/24
description vlan10
mtu 1500
}
vif 11 {
address 10.1.11.1/24
description vlan11
firewall {
in {
name PROTECT_VLANS
}
local {
name PROTECT_LOCAL
}
}
mtu 1500
}
vif 12 {
address 10.1.12.1/24
description vlan12
mtu 1500
}
vif 13 {
address 10.1.13.1/24
description vlan13
mtu 1500
}
} 
show firewall



all-ping enable
broadcast-ping disable
group {
address-group router_addresses {
address 10.1.10.1
address 10.1.11.1
address 10.1.12.1
address 10.1.13.1
description ""
}
network-group local_subnets {
description ""
network 10.1.10.0/24
network 10.1.11.0/24
network 10.1.12.0/24
network 10.1.13.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_LOCAL {
default-action drop
description ""
rule 1 {
action accept
destination {
port 53
}
log disable
protocol udp
source {
}
}
rule 2 {
action accept
destination {
port 53
}
log disable
protocol udp
}
}
name PROTECT_VLANS {
default-action accept
description ""
rule 1 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
destination {
group {
network-group local_subnets
}
}
log disable
protocol all
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable 

 

 

 


Accepted Solutions
Established Member
Posts: 838
Registered: ‎07-23-2015
Kudos: 503
Solutions: 47

Re: four isolated vlans

[ Edited ]

PROTECT_VLANS rule 2 needs to be moved to rule 1.

Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches

View solution in original post

SuperUser
Posts: 8,233
Registered: ‎01-05-2012
Kudos: 2182
Solutions: 1088

Re: four isolated vlans

There is no firewall on vif 10, 12 and 13, they will be able to talk among themselves (not with switch0, but for another reason, issue #10)

Cheers,

jonatha

View solution in original post


All Replies
Established Member
Posts: 838
Registered: ‎07-23-2015
Kudos: 503
Solutions: 47

Re: four isolated vlans

[ Edited ]

PROTECT_VLANS rule 2 needs to be moved to rule 1.

Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches
SuperUser
Posts: 8,233
Registered: ‎01-05-2012
Kudos: 2182
Solutions: 1088

Re: four isolated vlans

There is no firewall on vif 10, 12 and 13, they will be able to talk among themselves (not with switch0, but for another reason, issue #10)

Cheers,

jonatha

New Member
Posts: 5
Registered: ‎11-28-2017

Re: four isolated vlans

Thanks guys. I have it working acceptably now, by changing the order of the rule as suggested by joyn.

 

I applied the rules to switch0.11 through 13 and this seems to give an acceptable result. This is the configuration posted below.

When I applied the rules to switch0.10, however, internet worked, but I lost ability to manage the router. I

Good thing I saved my config right before I did that! Man Happy

 

I fixed it and reloaded the configuration posted below and got back on. Things work fine from a computer on 0.10. I can ping and browse to the edgerouter x at 10.1.10.1. I checked from a host on switch0.11 and I see that I cannot ping or browse to 10.1.11.1.However 10.1.11.1 does show up on traceroute.

 

The other vlans cannot seem to see items on switch0.10's subnet, and items on switch0.10 cannot seem to see items on the other vlans, so I am hoping it is fine the way it is. It is OK if switch0.10 can see the router as this is the management network. Perhaps this is the issue that redfive is referring to. I admit I poorly understand firewall.

 

Thanks again! Man Happy

 

show firewall                                                                                                  
--------------------------------------------------------------------------------                                            
IPv4 Firewall "PROTECT_LOCAL":                                                                                              
                                                                                                                            
 Active on (switch0.11,LOCAL) (switch0.12,LOCAL) (switch0.13,LOCAL)                                                         
                                                                                                                            
rule  action   proto     packets  bytes                                                                                     
----  ------   -----     -------  -----                                                                                     
1     accept   udp       0        0                                                                                         
  condition - udp dpt:domain                                                                                                
                                                                                                                            
2     accept   udp       0        0                                                                                         
  condition - udp dpt:domain                                                                                                
                                                                                                                            
10000 drop     all       111      3552                                                                                      
                                                                                                                            
--------------------------------------------------------------------------------                                            
IPv4 Firewall "PROTECT_VLANS":                                                                                              
                                                                                                                            
 Active on (switch0.11,IN) (switch0.12,IN) (switch0.13,IN)                                                                  
                                                                                                                            
rule  action   proto     packets  bytes                                                                                     
----  ------   -----     -------  -----                                                                                     
10    drop     all       0        0                                                                                         
  condition - match-set local_subnets dst                                       
                                                                                                                            
20    accept   all       338      191121                                                                                    
  condition - state RELATED,ESTABLISHED                                                                                     
                                                                                                                            
10000 accept   all       63       13499                                                                                     
                                                                                                                            
--------------------------------------------------------------------------------                                            
IPv4 Firewall "WAN_IN":                                                                                                     
                                                                                                                            
 Active on (eth0,IN)                                                                                                        
                                                                                                                            
rule  action   proto     packets  bytes                                                                                     
----  ------   -----     -------  -----                                                                                     
10    accept   all       109315   91230133                                                                                  
  condition - state RELATED,ESTABLISHED                                                                                     
                                                                                                                            
20    drop     all       0        0                                                                                         
  condition - state INVALID                                                                                                 
                                                                                                                            
10000 drop     all       0        0                                                                                         
                                                                                                                            
--------------------------------------------------------------------------------                                            
IPv4 Firewall "WAN_LOCAL":
                                                                                                                            
 Active on (eth0,LOCAL)                                                                                                     
                                                                                                                            
rule  action   proto     packets  bytes                                                                                     
----  ------   -----     -------  -----                                                                                     
10    accept   all       158      19474                                                                                     
  condition - state RELATED,ESTABLISHED                                                                                     
                                                                                                                            
20    drop     all       122      10155                                                                                     
  condition - state INVALID                                                                                                 
                                                                                                                            
10000 drop     all       2689     183189       
Reply