Access different VLAN IPs without "inter-VLAN routing"


#1

Trying to solve an issue on our network. We use VLANs to separate all traffic. Customers are on one of 10 VLANs and server management is on a different VLAN.

On the management VLAN is a server with port 80 facing the web with a 1:1 NAT to a public static IP - its private IP is in the management VLAN-5 of 10.10.10.x

I need customers on the various customer VLANs (20-40) to be able to access the web server using the it’s public URL. If “inter VLAN Routing” is turned off for their customer VLAN, they can not type in the public URL of the server and get it. If I turn on inter VLAN routing, it works but then they have full access to everything behind the router which is not good.

Is there a way to solve this without turning on inter VLAN routing?


#2

You’ll go into the firewall rules of your Balance and use the ‘Internal Network Firewall Rules’ section. Here you can create rules that would only allow specific devices to talk across your various VLANs. Be sure you are on recent firmware.



#3

Well, I have the same default rule which I thought would have allowed that. I’ve added a rule specific to the destination IP now. Do I need a matching rule in the Inbound Firewall?



#4

Kevin has the right idea for more granular control of this. Please try the following steps:

  1. Turn on “Inter-VLAN routing” which is a (global setting) for the sub-interface.
  2. Change the default Internal Firewall rule to “Deny”.
  3. Add the necessary “Allow” rules to control the desired access.

Also keep the source IP port to “Any” leaving the destination IP port “80”on your example firewall rule.


#5

OK, I’ve turned ON “inter-VLAN routing” for all of my VLANs (except one that is used for public WiFi clients). I then changed the default Internal Firewall Rule to “deny” and have started building individual allow rules for IPs and MAC addresses. So far, seems to be working but I need to do some more testing on it.

Thanks for the help. Need to make this as secure as possible but still allow certain IP’s and MAC addresses to access the full network for admin and I think that is working.