This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local IP isolation from one another

I've spent many hours trying to search for a suitable solution before posting .

Running utm 9 home on a mini pc under esxi.  Two ports are in use, one for wan (internet), other for lan.  What I'd like to do is isolated various devices on the lan from one another (such as pc's from other IoT type devices).  Since it's a rather simple network with no vlan capability, using different ip subnets seemed possible.  That is, clients on the 192.168.1.0/24 [alias] network would not be able to communicate with clients on the main 10.10.1.0/24 network.  I successfully added the alias under additional addresses, established a dhcp server for clients with static mapping only, set up the appropriate masquerading & dns rules.

The end result, clients on both networks have proper ip assignments, internet access, etc.  However, they are not isolated from one another. One of the segregated clients is an OBI box. I'm still able to reach it's webui at 192.168.1.10 while having a 10.10.1.100 ip address. I played around with dnat rules & firewall rules to try to block, but somehow the alias network is getting loopbacked to the main network. 

I must be missing something?  I'm at wits end with this :)



This thread was automatically locked due to age.
Parents
  • Hi,

    the block rule should be at the top and look a bit like this.

    network 192 -> any protocol -> network 10 -> drop -> log so you can see what is happening.

    You should not need a NAT or MASQ rule.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for the speedy reply.

    No go.  Nothing is even registering in the firewall log for dropped packets after reloading webui page or telneting to obibox port 80.

    There's no internet connectivity without the masq rule for network 192 --> wan.

    Block rule is #1 at the very top.

  • Hi Jay Jay,

    you misunderstood my no NAT/MASQ rule, that applies to blocking the intra lan access, not external access.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian,

    I don't follow¿?  Are you saying to use a masq/nat rule to do the actual blocking?  Please clarify and if you could, provide a specific example.  My goal is for clients on this subnet to have internet access, but not be able to interact with those on the other local lan network.

  • You will need a NAT/MASQ rule to allow your users out.

    You will not need a NAT/MASQ rule to block your intra LAN connections, just a firewall rule.

    Next question you will ask is how can that be?

    1/. the NAT/MASQ rules talk to different interfaces

    vlan 100 -> external interface to allow your users out

    2/. you can setup a NAT (SOURCE) rule to send any traffic from VLAN 100 trying access the other VLAN to a black hole.

     

    The choice is yours.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • If only there was vlan capability.  Recall from the first post, I have no vlan capable hardware.  Trying to do this with multiple subnets on the same physical interface/switch. I realize this is not the preferred way to do it, but that's all I have to work with.

  • Sorry day dreaming, you will need to setup a network group and use that in the place of the vlan 100.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • No luck.  It seems whatever loopback mechanism is in place is overriding any nat or firewall rules.

  • It's beginning to sound like achieving this will not be possible without additional hardware.

    I have several rt-ac68u routers, currently with asus-merlin firmware.  I can just as easily flash tomato or ddwrt.  It's my understanding these firmwares support vlans & trunks.  Would this be a sufficient alternative for buying an actual smart/managed switch?

Reply
  • It's beginning to sound like achieving this will not be possible without additional hardware.

    I have several rt-ac68u routers, currently with asus-merlin firmware.  I can just as easily flash tomato or ddwrt.  It's my understanding these firmwares support vlans & trunks.  Would this be a sufficient alternative for buying an actual smart/managed switch?

Children
No Data