This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local IP isolation from one another

I've spent many hours trying to search for a suitable solution before posting .

Running utm 9 home on a mini pc under esxi.  Two ports are in use, one for wan (internet), other for lan.  What I'd like to do is isolated various devices on the lan from one another (such as pc's from other IoT type devices).  Since it's a rather simple network with no vlan capability, using different ip subnets seemed possible.  That is, clients on the 192.168.1.0/24 [alias] network would not be able to communicate with clients on the main 10.10.1.0/24 network.  I successfully added the alias under additional addresses, established a dhcp server for clients with static mapping only, set up the appropriate masquerading & dns rules.

The end result, clients on both networks have proper ip assignments, internet access, etc.  However, they are not isolated from one another. One of the segregated clients is an OBI box. I'm still able to reach it's webui at 192.168.1.10 while having a 10.10.1.100 ip address. I played around with dnat rules & firewall rules to try to block, but somehow the alias network is getting loopbacked to the main network. 

I must be missing something?  I'm at wits end with this :)



This thread was automatically locked due to age.
  • Hi,

    the block rule should be at the top and look a bit like this.

    network 192 -> any protocol -> network 10 -> drop -> log so you can see what is happening.

    You should not need a NAT or MASQ rule.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Does tracert show that the traffic is flowing through the UTM?   Are they possibly finding each other by ip4 arp broadcast or using ip6?

  • Thanks for the speedy reply.

    No go.  Nothing is even registering in the firewall log for dropped packets after reloading webui page or telneting to obibox port 80.

    There's no internet connectivity without the masq rule for network 192 --> wan.

    Block rule is #1 at the very top.

  • DouglasFoster said:
    Does tracert show that the traffic is flowing through the UTM?   Are they possibly finding each other by ip4 arp broadcast or using ip6?

     

    Tracert shows the primary lan network as the first hope (10.xxxx).  Firewall starts to fill up with dropped ICMP packets referencing the firewall rule. If I disable rule #1, then it just says Default drop.  Everything on the ICMP tab is unchecked except for log ICMP redirects. With the last 2 options checked (traceroute settings), then the tracrt to the obi completes successfully with the obibox being the 2nd/final hop.

  • Hi Jay Jay,

    you misunderstood my no NAT/MASQ rule, that applies to blocking the intra lan access, not external access.

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian,

    I don't follow¿?  Are you saying to use a masq/nat rule to do the actual blocking?  Please clarify and if you could, provide a specific example.  My goal is for clients on this subnet to have internet access, but not be able to interact with those on the other local lan network.

  • You will need a NAT/MASQ rule to allow your users out.

    You will not need a NAT/MASQ rule to block your intra LAN connections, just a firewall rule.

    Next question you will ask is how can that be?

    1/. the NAT/MASQ rules talk to different interfaces

    vlan 100 -> external interface to allow your users out

    2/. you can setup a NAT (SOURCE) rule to send any traffic from VLAN 100 trying access the other VLAN to a black hole.

     

    The choice is yours.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • If only there was vlan capability.  Recall from the first post, I have no vlan capable hardware.  Trying to do this with multiple subnets on the same physical interface/switch. I realize this is not the preferred way to do it, but that's all I have to work with.

  • Sorry day dreaming, you will need to setup a network group and use that in the place of the vlan 100.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • No luck.  It seems whatever loopback mechanism is in place is overriding any nat or firewall rules.