Allow inter-vlan traffic when forwarded from Inbound Access Server/Service rule

Hello–

I have two VLANs: My production VLAN (VLAN0, 192.168.1.x) and my public-wifi VLAN (VLAN2, 172.16.1.x). This is done for PCI compliance, so I have “inter-vlan routing” disabled. This way, all guests on VLAN2 have no access to any of our production servers. (I feel this is a common configuration) On my production VLAN is my webstore (192.168.1.210), which has an Inbound Access Server/Service rule set up to forward incoming http/https traffic (store.mydomain.com:80) to the server (192.168.1.210:80).

When connected to VLAN0 (say 192.168.1.55), you can connect to the webstore (store.mydomain.com) just fine. The balance detects that the outgoing destination resolves to a WAN IP, so it handles that according to the inbound traffic rules, and redirects it to my webstore server (192.168.1.210, also on VLAN0).

However, when connected to VLAN2, a connection to store.mydomain.com does not succeed. I assume this is because it detects that store.mydomain.com resolves to the WAN IP, applies the inbound traffic rules to it, but then ultimately rejects it because a request from 172.16.1.x to 192.168.1.210 is not allowed, according to a strict definition of “inter-vlan routing” disabled.

So my feature request: I would like an exception to be made to the “inter-vlan routing” rule. When inter-vlan routing is disabled, I would like data from one VLAN to another be allowed when it is forwarded from an Inbound Access Server/Service rule. This way, guests on my public-wifi, VLAN2, can connect to my publicly available webstore on VLAN0.

This is also Ticket #747272.

Thanks,
Ben Adams

Hi Ben,

NAT will not take place (Inbound Access rule) if there is Inter- vlan access.

You may configure Outbound Firewall rule to achieve your requirement.

  1. Enable inter-vlan routing.

  2. Create Outbound Firewall rules below:-

  • Protocol: Any

  • Source IP & Port: Network, IP: 172.16.1.0, Mask: 255.255.255.0 (/24)

  • Destination IP & Port: Single Address, IP: 192.168.1.210

  • Action: Allow

  • Protocol: Any

  • Source IP & Port: Network, IP: 172.16.1.0, Mask: 255.255.255.0 (/24)

  • Destination IP & Port: Network, IP: 192.168.1.0, Mask: 255.255.255.0 (/24)

  • Action: Deny

Hope this help.

Hey TK-

Thanks for the reply.

I didn’t know the outbound firewall rules applied to traffic between the VLANs. I can’t wait to try this out.

Ben

Hi Ben,

Please ensure users in subnet 192.168.1.0/24 and 172.16.1.0/24 resolve store.mydomain.com as 192.168.1.210. You may achieve this by adding Local DNS Records in Balance router. Network > LAN > DNS Proxy Settings > Local DNS Records. Ensure clients point Balance router as DNS server. :slight_smile:

Hey TK-

Thanks for your reply. I was finally able to test this out. It seems to be working OK.

However, users in my guest wireless subnet (172.16.1.0/24) are still able to connect to the peplink configuration page, 192.168.1.1. Using the firewall rules you set above, a user from the 172.16.1.0/24 subnet shouldn’t be able to connect to 192.168.1.1. Am I doing something wrong?

Thanks,
Ben

Also, one more thing.

store.mydomain.com resolves to the WAN1 IP address, not 192.168.1.210. When I connect to https://store.mydomain.com from the guest wireless subnet, I get a certificate error, “403 Forbidden”, Server’s certificate does not match the URL. Under certificate information, it is using a certificate for captive-portal.peplink.com, instead of the certificate for store.mydomain.com.

When I add a local DNS record, as you suggest above, it sort of fixes the problem. However, this doesn’t work for everything. For example, I host streaming video on 192.168.1.210:1935. I have a server/service set up for port 1935 on all WANs to forward incoming traffic to 192.168.1.210. The hostname stream.mydomain.com points to the WAN IP. However, I forward other ports to servers that are not 192.168.1.210. SO, I can’t add a local dns record for stream.mydomain.com. As a result, connections to stream.mydomain.com:1935 from the guest-wireless with captive portal fail.

Ben

Hi Ben,

This is normal. The firewall rule only blocks end to end traffics.

You may change Web Admin port other than Tcp 80 and 443. System > Admin Security.

Hi Ben,

Why you can’t add “stream.mydomain.com” into Local DNS Record?

My understanding 192.168.1.210 is hosted multiple services like Tcp 80 and 1935. You just need t ensure:-

  1. Guest resolves “store.mydomain.com” and “stream.mydomain.com” as 192.168.1.210
  2. Tcp 80 and 1935 are allow between these 2 Vlans
  3. Configure “Allowed Networks” (192.168.1.210) in Captive Portal.

Hey TK-

Thanks for the replies.

The problem is that I have stream.mydomain.com configured to forward to different IPs based on the port, using the inbound access > servers/services. For example, stream.mydomain.com:1935 routes to 192.168.1.210:1935, whereas stream.mydomain.com:xxx routes to 192.168.1.211:xxx, etc. So adding a local dns record for stream.mydomain.com to point to 192.168.1.210 will cause the other services/ports to stop functioning.

This works fine without the local DNS record in non-captive portal VLANs. For example, a connection to stream.mydomain.com:1935, which resolves to the cable modem WAN IP, is correctly forwarded to 192.168.1.210:1935 using the inbound access -> servers/services that are configured. The problem only seems to happen with captive portal.

Happy 2015-
Ben

Hi Ben,

I am reproducing your environment. Will keep your posted the update.

Hi Ben,

I have tested your environment. Please find the attached diagram.


We will support NAT loop back access with Captive Portal in future release.

For workaround, I do encourage to use unique hostname for each server. For example, store.mydomain.com is referring to 192.168.1.210 and stream.mydomain.com is referring to 192.168.1.211.

Inbound access (From internet to User Vlan):-

Please configure External DNS record:
store.mydomain.com A 100.10.20.30
stream.mydomain.com CNAME store.mydomain.com

Access flow:

  • Users —store.mydomain.com:80—> Balance —> 192.168.1.210:80
  • Users —store.mydomain.com:1935—> Balance —> 192.168.1.210:1935
  • Users —stream.mydomain.com:8080—> Balance —> 192.168.1.211:8080

Inter-Vlan access (Guest Vlan to User Vlan):-

Please configure Local DNS Records:
store.mydomain.com = 192.168.1.210
stream.mydomain.com = 192.168.1.211

  • Guest —store.mydomain.com:80—> Balance —> 192.168.1.210:80
  • Guest —store.mydomain.com:1935—> Balance —> 192.168.1.210:1935
  • Guest —stream.mydomain.com:8080—> Balance —> 192.168.1.211:8080

UPDATE: Peplink is fully capable of meeting the requirements for PCI DSS 3.0 compliant networks. Click here for full details.