VLAN to VLAN blocked routing not working (SOLVED)

Home Page Forums Network Management Networking VLAN to VLAN blocked routing not working (SOLVED)

This topic contains 23 replies, has 0 voices, and was last updated by  wifiguy 9 years, 6 months ago.

Viewing 10 posts - 16 through 25 (of 25 total)
  • Author
    Posts
  • #49557

    wifiguy
    Member

    Alright. I think I am getting somewhere now. I really appreciate all your help in this configuration.

    Here are our IPTABLES

    root@fw root> iptables -L -v
    Chain INPUT (policy ACCEPT 235 packets, 26925 bytes)
    pkts bytes target prot opt in out source destination
    7386 850K SYS_INPUT all — any any anywhere anywhere
    0 0 SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:http
    6518 603K SYS_HTTPS tcp — any any anywhere anywhere tcp dpt:https
    186 18552 SYS_SSH tcp — any any anywhere anywhere tcp dpt:ssh

    Chain FORWARD (policy ACCEPT 4916 packets, 2452K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all — any any 10.0.0.0/8 172.30.0.0/16

    Chain OUTPUT (policy ACCEPT 12202 packets, 1953K bytes)
    pkts bytes target prot opt in out source destination
    12694 1999K SYS_OUTPUT all — any any anywhere anywhere

    Chain NetBalancer (0 references)
    pkts bytes target prot opt in out source destination

    Chain SYS_HTTPS (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    6518 603K ACCEPT all — ETH01 any anywhere anywhere
    0 0 DROP all — any any anywhere anywhere

    Chain SYS_INPUT (1 references)
    pkts bytes target prot opt in out source destination
    139 21198 ACCEPT all — lo any anywhere anywhere
    48 16050 ACCEPT udp — any any anywhere anywhere udp spt:domain state ESTABLISHED
    144 156K ACCEPT tcp — any any anywhere anywhere tcp spt:http state ESTABLISHED
    0 0 ACCEPT tcp — any any anywhere anywhere tcp spt:8245 state ESTABLISHED
    116 8816 ACCEPT udp — any any anywhere anywhere udp spt:ntp state ESTABLISHED
    6939 648K RETURN all — any any anywhere anywhere

    Chain SYS_OUTPUT (1 references)
    pkts bytes target prot opt in out source destination
    139 21198 ACCEPT all — any lo anywhere anywhere
    87 6234 ACCEPT udp — any any anywhere anywhere udp dpt:domain
    150 9025 ACCEPT tcp — any any anywhere anywhere tcp dpt:http
    0 0 ACCEPT tcp — any any anywhere anywhere tcp dpt:8245
    116 8816 ACCEPT udp — any any anywhere anywhere udp dpt:ntp
    12202 1953K RETURN all — any any anywhere anywhere

    Chain SYS_SSH (1 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all — lo any anywhere anywhere
    130 11116 ACCEPT all — any any 10.0.0.0/8 anywhere
    0 0 ACCEPT all — ETH01 any anywhere anywhere
    0 0 DROP all — any any anywhere anywhere

    Now back to our main issue, we are still unable to block vlan to vlan traffic. For example, our native vlan, can still talk to vlan20, and 30.

    Here is the rule I have set up. Thoughts?

    DROP all opt — in * out * 10.0.0.0/8 -> 172.30.0.0/16

    This by the way is currently the only firewall rule we have active….

    #49558

    Marcelo
    Member

    Have you tryed to put this rule as the very first one in the chain?

    #49559

    wifiguy
    Member

    @marcelo wrote:

    Have you tryed to put this rule as the very first one in the chain?

    We only have 1 rule right now, so it is the very first rule in the chain.

    #49560

    wifiguy
    Member

    I think I see the errors of my ways. On the description Section of the forwarding rule, is that only a description and not actually a command?

    Do I need to manually enter a IP Tables Parameters?

    ***Edit, looks like a manual command doesn’t work either….******

    #49561

    Marcelo
    Member

    Ok, I see.

    I believe that this approach shoud work better when defining the rule (use the VLAN interface names instead of their network addresses):

    DROP all opt — in ETH00.24 out ETH00.74 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt — in ETH00.74 out ETH00.24 0.0.0.0/0 -> 0.0.0.0/0

    NOTE: The above example will block anything from VLAN 24 to VLAN 74 and vice-versa

    PS: Note that once the VLAN exists, it’s virtual interface name will be available in Input and Output dropdown lists when creating a new rule.

    Good luck!

    #49562

    wifiguy
    Member

    @marcelo wrote:

    Ok, I see.

    I believe that this approach shoud work better when defining the rule (use the VLAN interface names instead of their network addresses):

    DROP all opt — in ETH00.24 out ETH00.74 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt — in ETH00.74 out ETH00.24 0.0.0.0/0 -> 0.0.0.0/0

    NOTE: The above example will block anything from VLAN 24 to VLAN 74 and vice-versa

    PS: Note that once the VLAN exists, it’s virtual interface name will be available in Input and Output dropdown lists when creating a new rule.

    Good luck!

    I actually was just applying a firewall rule to that effect. Here is what i have now:

    DROP all opt — in ETH01.20 out ETH01 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt — in ETH01 out ETH01.20 0.0.0.0/0 -> 0.0.0.0/0

    I can still reach eth1.20 (172.30.0.1) from the native vlan…… 🙁

    #49563

    Marcelo
    Member

    Hmmm, not sure if you really can block communication with the native VLAN, but only between non-native vlans, but I may be wrong.

    #49564

    wifiguy
    Member

    @marcelo wrote:

    Hmmm, not sure if you really can block communication with the native VLAN, but only between non-native vlans, but I may be wrong.

    Can you block traffic to the native vlan?

    #49565

    wifiguy
    Member

    @marcelo wrote:

    Hmmm, not sure if you really can block communication with the native VLAN, but only between non-native vlans, but I may be wrong.

    I have this new rule set up to block traffic from vlan20 and vlan30

    DROP all opt — in ETH01.20 out ETH01.30 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt — in ETH01.30 out ETH01.20 0.0.0.0/0 -> 0.0.0.0/0

    Traffic is still able to pass between those two vlans. 😕

    #49566

    Marcelo
    Member

    Are you trying to access a real machine in VLAN B from a machine in VLAN A or the Router’s IP in VLAN B from a machine in VLAN A?

    Why am I asking? Because depending on what you intend to accomplish, the rules go in different chains.

    If you want to block a request from a machine to another in different VLANs (whichs is certainly what you intend to do) you’ll have to add your rule in the FORWARD chain, but this won’t block your requests sent to the router’s IP address in the other VLAN. This is due to the fact that in this case, the packets are not being forwarded, they are being received by the router (this even happens with different actual LANs – i.e., you can ping the router’s IP in a different LAN).

    If you want to block a machine from VLAN A to ping or access the router’s address in VLAN B, your rule have to go to the INPUT chain in the router. Anyway, this would be more for testing purposes only, as there is no practical interest in blocking a machine to access the router for a specific VLAN if it can access from its VLAN.

    If you are just testing the Zeroshell’s VLAN capabilities and, as I mention, are using the router’s IP on the other VLAN for this purpose, try adding the rule in the INPUT chain (just for testing), but I recommend that before putting your router in production with actual machines in different VLANs, you do test it with 2 actual machines one in each VLAN and, in this case, add the rule in the FORWARD chain as it shall be when the router moves to production.

    Best regards,
    Marcelo

Viewing 10 posts - 16 through 25 (of 25 total)

You must be logged in to reply to this topic.