Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 8 subscribers
  • Views 20846 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local IP isolation from one another

Jay Jay

I've spent many hours trying to search for a suitable solution before posting .

Running utm 9 home on a mini pc under esxi.  Two ports are in use, one for wan (internet), other for lan.  What I'd like to do is isolated various devices on the lan from one another (such as pc's from other IoT type devices).  Since it's a rather simple network with no vlan capability, using different ip subnets seemed possible.  That is, clients on the 192.168.1.0/24 [alias] network would not be able to communicate with clients on the main 10.10.1.0/24 network.  I successfully added the alias under additional addresses, established a dhcp server for clients with static mapping only, set up the appropriate masquerading & dns rules.

The end result, clients on both networks have proper ip assignments, internet access, etc.  However, they are not isolated from one another. One of the segregated clients is an OBI box. I'm still able to reach it's webui at 192.168.1.10 while having a 10.10.1.100 ip address. I played around with dnat rules & firewall rules to try to block, but somehow the alias network is getting loopbacked to the main network. 

I must be missing something?  I'm at wits end with this :)



This thread was automatically locked due to age.
  • 0 in reply to Jay Jay

    It's beginning to sound like achieving this will not be possible without additional hardware.

    I have several rt-ac68u routers, currently with asus-merlin firmware.  I can just as easily flash tomato or ddwrt.  It's my understanding these firmwares support vlans & trunks.  Would this be a sufficient alternative for buying an actual smart/managed switch?

  • 0

    Those different LANs are connected before they reach UTM. UTM cant do nothing at this point

  • 0 in reply to Ol Deda

    Made some progress!!

    The rt-ac68u with tomato indeed supports vlan and tagging.  I'm still figuring things are (there are many), but it looks like this will work.

    I was hoping to stay with asuswrt merlin firmware because it has significant wifi improvements over tomato/ddwrt.  It's either buy more hardware or reconfigure what's here.  For the few devices I wish to isolate, this will be good enough. I actually use 2 router/ap's at either end of the house for improved wifi coverage.  With the merlin firmware I was able to get close to a gigabit in file transfer speeds between two ac1300 devices (1 router configured as a media bridge).  With ddwrt/tomato it's a good half or slightly more.

    Never set up a firewall with vlans before.  Lots more to learn.

     

    From firefox fox.

     

Unfiltered HTML