Prevent routing between VLAN’s

Home Page Forums Network Management ZeroShell Prevent routing between VLAN’s

This topic contains 2 replies, has 0 voices, and was last updated by  unsichtbare 9 years, 7 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #41830

    unsichtbare
    Member

    I have setup Zeroshell with several VLAN’s on one NIC and would like to prevent routing between one or more of the VLAN’s. Here is my setup:

    ETH00   1000Mb/s Full Duplex
    Intel Corporation 82546EB Gigabit Ethernet Controller (Copper) (rev 01)

    VLAN: none
    2: ETH00: mtu 1500 qdisc htb qlen 1000
    inet 192.168.5.1/24 brd 192.168.5.255
    RX: bytes packets errors dropped overrun mcast
    571644886 670641 0 0 0 492
    TX: bytes packets errors dropped carrier collsns
    347233957 596027 0 0 0 0
    Throughput: RX 573.05 Kbit/s TX 36.21 Kbit/s

    VLAN: 10
    9: ETH00.10@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.10.1/24 brd 192.168.10.255
    RX: bytes packets errors dropped overrun mcast
    93676406 127799 0 0 0 108
    TX: bytes packets errors dropped carrier collsns
    67377485 113771 0 0 0 0
    Throughput: RX 128 bit/s TX 280 bit/s

    VLAN: 20
    11: ETH00.20@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.20.1/24 brd 192.168.20.255
    RX: bytes packets errors dropped overrun mcast
    5688678 41139 0 0 0 107
    TX: bytes packets errors dropped carrier collsns
    27815198 36688 0 0 0 0
    Throughput: RX 117 bit/s TX 0 bit/s

    VLAN: 30
    12: ETH00.30@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.30.1/24 brd 192.168.30.255
    RX: bytes packets errors dropped overrun mcast
    0 0 0 0 0 0
    TX: bytes packets errors dropped carrier collsns
    0 0 0 0 0 0
    Throughput: RX 0 bit/s TX 0 bit/s

    VLAN: 55
    13: ETH00.55@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.55.1/24 brd 192.168.55.255
    RX: bytes packets errors dropped overrun mcast
    161388840 142330 0 0 0 0
    TX: bytes packets errors dropped carrier collsns
    8455443 86953 0 0 0 0
    Throughput: RX 0 bit/s TX 0 bit/s

    VLAN: 99
    14: ETH00.99@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.99.1/24 brd 192.168.99.255
    RX: bytes packets errors dropped overrun mcast
    726355 1259 0 0 0 108
    TX: bytes packets errors dropped carrier collsns
    208459 865 0 0 0 0
    Throughput: RX 0 bit/s TX 0 bit/s

    VLAN: 2020
    16: ETH00.2020@ETH00:
    mtu 1500 qdisc noqueue
    inet 192.168.0.1/24 brd 192.168.0.255
    RX: bytes packets errors dropped overrun mcast
    3783688 20925 0 0 0 62
    TX: bytes packets errors dropped carrier collsns
    27661957 26833 0 0 0 0
    Throughput: RX 61 bit/s TX 56 bit/s

    Right now any vlan can communicate with any other. I would like to prevent VLAN 10 from communicating with any other VLAN.

    -J

    #48549

    Create a firewall rule to block access to those subnets.

    #48550

    ppalias
    Member

    … on the FORWARD chain.
    Create a rule that drops traffic coming from source network of vlan 10 to the destination network of the other vlans.

    #48551

    @unsichtbare wrote:

    I have setup Zeroshell with several VLAN’s on one
    Right now any vlan can communicate with any other. I would like to prevent VLAN 10 from communicating with any other VLAN.

    -J

    I have this setup and one of my vlans has free internet access but cannot talk to another conected network.
    One simple rule saying routed/bridged from interface vlanXX not going to interface Internet all services drop.

    Plain and simple. Consider using negated items in the rule to make the ruleset as simple as it can be. The obvius advantage is that the above mentioned rule is still valid even if more vlans and networks are added later and it does not break security.

    Yours.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.