Home Page › Forums › Network Management › ZeroShell › Segregated LANs
- This topic is empty.
-
AuthorPosts
-
February 16, 2016 at 9:11 pm #44499
bionemesis
ParticipantI have ZS setup in VMWare ESXI. There are 5 physical adapters connected into 5 virtual switches. ZS has these configured as ETH00, which has an IP of 10.0.0.55 and is physically connected to a switch shared by other devices on my network. ETH01-ETH04 have IPs of 192.168.1.1, 192.168.2.1, 192.168.3.1 and 192.168.4.1 and are configured to provide DHCP and DNS services. Each port is physically connected to an individual device (usually a client’s computer or laptop). On each of the virtual switches associated with ETH01-ETH04, there is only ZS and a virtual NAS server (the virtual NAS server also has ETH01-ETH04 configured with a static IP matching the subnet configured in ZS).
I want any device that is connected to ETH01-ETH04 to be able to get on the internet, see the NAS, and that is it. I’ve done considerable searching on this and found a few tutorials which resulted in the firewall configuration below. Despite this, devices connected to any of these ports can see themselves, other devices connected to the other ports, and devices connected to ETH00. So obviously I’m doing something wrong. So any help, would be greatly appreciated. I’ve also attached screenshots of my configuration.
Firewall Configuration
Policy Drop, Chain Forward
Seq Input Output Description Log Active
1 * ETH00 DROP all opt — in * out ETH00 0.0.0.0/0 -> 10.0.0.0/24 no
2 ETH01 ETH00 ACCEPT all opt — in ETH01 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
3 ETH02 ETH00 ACCEPT all opt — in ETH02 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
4 ETH03 ETH00 ACCEPT all opt — in ETH03 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
5 ETH04 ETH00 ACCEPT all opt — in ETH04 out ETH00 0.0.0.0/0 -> 0.0.0.0/0 no
6 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED noPolicy Drop, Chain Input
Seq Input Output Description Log Active
1 ETH01 * ACCEPT all opt — in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 no
2 ETH02 * ACCEPT all opt — in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
3 ETH03 * ACCEPT all opt — in ETH03 out * 0.0.0.0/0 -> 0.0.0.0/0 no
4 ETH04 * ACCEPT all opt — in ETH04 out * 0.0.0.0/0 -> 0.0.0.0/0 no
5 * * ACCEPT all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED no
[/img]
February 17, 2016 at 10:08 am #54037Montikore
Participantas you use virtual switches, using the interface names for firewalling is perhaps not a good idea, try to set all your rule with IP only.
by the way, i think your forward rule 1 is useless, and all your input rules are useless for this specific need (but don’t set input to drop without allowing your subnet!)i’m not sure to understand evrything…is your description of the issue accurate? you want ETH1-ETH4 to see ETH0 and internet, and not each other? and currently everybody sees everybody?
February 23, 2016 at 6:34 pm #54038bionemesis
ParticipantYes, I want ETH1-4 to see internet via ETH0 and any other devices within their subnet but not across (so, ETH1 shouldn’t see any devices on ETH2).
March 21, 2016 at 12:12 pm #54039ilNebbioso
ParticipantI think you could take some inspiration from a different scenario (but not so different from yours).
I’ve asked in the past here http://www.zeroshell.net/forum/viewtopic.php?t=1807&highlight=
The scenario was for TWO ethernet cards (one is WAN and the second manages multiple VLAN with a VLAN capable switch), where just one VLAN was visible to the others (#198 in my case).Maybe this could help…. I hope!
-
AuthorPosts
- You must be logged in to reply to this topic.