Allow inter-vlan traffic when forwarded from Inbound Access Server/Service rule


#1

Hello–

I have two VLANs: My production VLAN (VLAN0, 192.168.1.x) and my public-wifi VLAN (VLAN2, 172.16.1.x). This is done for PCI compliance, so I have “inter-vlan routing” disabled. This way, all guests on VLAN2 have no access to any of our production servers. (I feel this is a common configuration) On my production VLAN is my webstore (192.168.1.210), which has an Inbound Access Server/Service rule set up to forward incoming http/https traffic (store.mydomain.com:80) to the server (192.168.1.210:80).

When connected to VLAN0 (say 192.168.1.55), you can connect to the webstore (store.mydomain.com) just fine. The balance detects that the outgoing destination resolves to a WAN IP, so it handles that according to the inbound traffic rules, and redirects it to my webstore server (192.168.1.210, also on VLAN0).

However, when connected to VLAN2, a connection to store.mydomain.com does not succeed. I assume this is because it detects that store.mydomain.com resolves to the WAN IP, applies the inbound traffic rules to it, but then ultimately rejects it because a request from 172.16.1.x to 192.168.1.210 is not allowed, according to a strict definition of “inter-vlan routing” disabled.

So my feature request: I would like an exception to be made to the “inter-vlan routing” rule. When inter-vlan routing is disabled, I would like data from one VLAN to another be allowed when it is forwarded from an Inbound Access Server/Service rule. This way, guests on my public-wifi, VLAN2, can connect to my publicly available webstore on VLAN0.

This is also Ticket #747272.

Thanks,
Ben Adams


#2

Hi Ben,

NAT will not take place (Inbound Access rule) if there is Inter- vlan access.

You may configure Outbound Firewall rule to achieve your requirement.

  1. Enable inter-vlan routing.

  2. Create Outbound Firewall rules below:-

  • Protocol: Any

  • Source IP & Port: Network, IP: 172.16.1.0, Mask: 255.255.255.0 (/24)

  • Destination IP & Port: Single Address, IP: 192.168.1.210

  • Action: Allow

  • Protocol: Any

  • Source IP & Port: Network, IP: 172.16.1.0, Mask: 255.255.255.0 (/24)

  • Destination IP & Port: Network, IP: 192.168.1.0, Mask: 255.255.255.0 (/24)

  • Action: Deny

Hope this help.


#3

Hey TK-

Thanks for the reply.

I didn’t know the outbound firewall rules applied to traffic between the VLANs. I can’t wait to try this out.

Ben


#4

Hi Ben,

Please ensure users in subnet 192.168.1.0/24 and 172.16.1.0/24 resolve store.mydomain.com as 192.168.1.210. You may achieve this by adding Local DNS Records in Balance router. Network > LAN > DNS Proxy Settings > Local DNS Records. Ensure clients point Balance router as DNS server. :slight_smile:


#5

Hey TK-

Thanks for your reply. I was finally able to test this out. It seems to be working OK.

However, users in my guest wireless subnet (172.16.1.0/24) are still able to connect to the peplink configuration page, 192.168.1.1. Using the firewall rules you set above, a user from the 172.16.1.0/24 subnet shouldn’t be able to connect to 192.168.1.1. Am I doing something wrong?

Thanks,
Ben


#6

Also, one more thing.

store.mydomain.com resolves to the WAN1 IP address, not 192.168.1.210. When I connect to https://store.mydomain.com from the guest wireless subnet, I get a certificate error, “403 Forbidden”, Server’s certificate does not match the URL. Under certificate information, it is using a certificate for captive-portal.peplink.com, instead of the certificate for store.mydomain.com.

When I add a local DNS record, as you suggest above, it sort of fixes the problem. However, this doesn’t work for everything. For example, I host streaming video on 192.168.1.210:1935. I have a server/service set up for port 1935 on all WANs to forward incoming traffic to 192.168.1.210. The hostname stream.mydomain.com points to the WAN IP. However, I forward other ports to servers that are not 192.168.1.210. SO, I can’t add a local dns record for stream.mydomain.com. As a result, connections to stream.mydomain.com:1935 from the guest-wireless with captive portal fail.

Ben


#7

Hi Ben,

This is normal. The firewall rule only blocks end to end traffics.

You may change Web Admin port other than Tcp 80 and 443. System > Admin Security.


#8

Hi Ben,

Why you can’t add “stream.mydomain.com” into Local DNS Record?

My understanding 192.168.1.210 is hosted multiple services like Tcp 80 and 1935. You just need t ensure:-

  1. Guest resolves “store.mydomain.com” and “stream.mydomain.com” as 192.168.1.210
  2. Tcp 80 and 1935 are allow between these 2 Vlans
  3. Configure “Allowed Networks” (192.168.1.210) in Captive Portal.

#9

Hey TK-

Thanks for the replies.

The problem is that I have stream.mydomain.com configured to forward to different IPs based on the port, using the inbound access > servers/services. For example, stream.mydomain.com:1935 routes to 192.168.1.210:1935, whereas stream.mydomain.com:xxx routes to 192.168.1.211:xxx, etc. So adding a local dns record for stream.mydomain.com to point to 192.168.1.210 will cause the other services/ports to stop functioning.

This works fine without the local DNS record in non-captive portal VLANs. For example, a connection to stream.mydomain.com:1935, which resolves to the cable modem WAN IP, is correctly forwarded to 192.168.1.210:1935 using the inbound access -> servers/services that are configured. The problem only seems to happen with captive portal.

Happy 2015-
Ben


#10

Hi Ben,

I am reproducing your environment. Will keep your posted the update.


#11

Hi Ben,

I have tested your environment. Please find the attached diagram.


We will support NAT loop back access with Captive Portal in future release.

For workaround, I do encourage to use unique hostname for each server. For example, store.mydomain.com is referring to 192.168.1.210 and stream.mydomain.com is referring to 192.168.1.211.

Inbound access (From internet to User Vlan):-

Please configure External DNS record:
store.mydomain.com A 100.10.20.30
stream.mydomain.com CNAME store.mydomain.com

Access flow:

  • Users —store.mydomain.com:80—> Balance —> 192.168.1.210:80
  • Users —store.mydomain.com:1935—> Balance —> 192.168.1.210:1935
  • Users —stream.mydomain.com:8080—> Balance —> 192.168.1.211:8080

Inter-Vlan access (Guest Vlan to User Vlan):-

Please configure Local DNS Records:
store.mydomain.com = 192.168.1.210
stream.mydomain.com = 192.168.1.211

  • Guest —store.mydomain.com:80—> Balance —> 192.168.1.210:80
  • Guest —store.mydomain.com:1935—> Balance —> 192.168.1.210:1935
  • Guest —stream.mydomain.com:8080—> Balance —> 192.168.1.211:8080

#12

UPDATE: Peplink is fully capable of meeting the requirements for PCI DSS 3.0 compliant networks. Click here for full details.