Re: Which IP in the other VLAN

#49566

Marcelo
Member

Are you trying to access a real machine in VLAN B from a machine in VLAN A or the Router’s IP in VLAN B from a machine in VLAN A?

Why am I asking? Because depending on what you intend to accomplish, the rules go in different chains.

If you want to block a request from a machine to another in different VLANs (whichs is certainly what you intend to do) you’ll have to add your rule in the FORWARD chain, but this won’t block your requests sent to the router’s IP address in the other VLAN. This is due to the fact that in this case, the packets are not being forwarded, they are being received by the router (this even happens with different actual LANs – i.e., you can ping the router’s IP in a different LAN).

If you want to block a machine from VLAN A to ping or access the router’s address in VLAN B, your rule have to go to the INPUT chain in the router. Anyway, this would be more for testing purposes only, as there is no practical interest in blocking a machine to access the router for a specific VLAN if it can access from its VLAN.

If you are just testing the Zeroshell’s VLAN capabilities and, as I mention, are using the router’s IP on the other VLAN for this purpose, try adding the rule in the INPUT chain (just for testing), but I recommend that before putting your router in production with actual machines in different VLANs, you do test it with 2 actual machines one in each VLAN and, in this case, add the rule in the FORWARD chain as it shall be when the router moves to production.

Best regards,
Marcelo