Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 8 subscribers
  • Views 20850 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local IP isolation from one another

Jay Jay

I've spent many hours trying to search for a suitable solution before posting .

Running utm 9 home on a mini pc under esxi.  Two ports are in use, one for wan (internet), other for lan.  What I'd like to do is isolated various devices on the lan from one another (such as pc's from other IoT type devices).  Since it's a rather simple network with no vlan capability, using different ip subnets seemed possible.  That is, clients on the 192.168.1.0/24 [alias] network would not be able to communicate with clients on the main 10.10.1.0/24 network.  I successfully added the alias under additional addresses, established a dhcp server for clients with static mapping only, set up the appropriate masquerading & dns rules.

The end result, clients on both networks have proper ip assignments, internet access, etc.  However, they are not isolated from one another. One of the segregated clients is an OBI box. I'm still able to reach it's webui at 192.168.1.10 while having a 10.10.1.100 ip address. I played around with dnat rules & firewall rules to try to block, but somehow the alias network is getting loopbacked to the main network. 

I must be missing something?  I'm at wits end with this :)



This thread was automatically locked due to age.
Parents
  • 0

    Does tracert show that the traffic is flowing through the UTM?   Are they possibly finding each other by ip4 arp broadcast or using ip6?

  • 0 in reply to DouglasFoster

    DouglasFoster said:
    Does tracert show that the traffic is flowing through the UTM?   Are they possibly finding each other by ip4 arp broadcast or using ip6?

     

    Tracert shows the primary lan network as the first hope (10.xxxx).  Firewall starts to fill up with dropped ICMP packets referencing the firewall rule. If I disable rule #1, then it just says Default drop.  Everything on the ICMP tab is unchecked except for log ICMP redirects. With the last 2 options checked (traceroute settings), then the tracrt to the obi completes successfully with the obibox being the 2nd/final hop.

Reply
  • 0 in reply to DouglasFoster

    DouglasFoster said:
    Does tracert show that the traffic is flowing through the UTM?   Are they possibly finding each other by ip4 arp broadcast or using ip6?

     

    Tracert shows the primary lan network as the first hope (10.xxxx).  Firewall starts to fill up with dropped ICMP packets referencing the firewall rule. If I disable rule #1, then it just says Default drop.  Everything on the ICMP tab is unchecked except for log ICMP redirects. With the last 2 options checked (traceroute settings), then the tracrt to the obi completes successfully with the obibox being the 2nd/final hop.

Children
No Data
Unfiltered HTML