Basic VLAN Access Question

mjb87 · August 23, 2018, 5:16am

I’m setting up a network on Balance 210 running latest firmware. There will be several VLANs and I want to control communications between them. Can someone validate the approach below.

Here are the VLANs
10.72.51.0 – default
10.72.52.0 – VLAN 2: local services with port forwarding
10.72.53.0 – VLAN 3: common iOT resources requiring internet access (e.g., building controls, AV systems)
10.72.55.0 – VLAN 5: local iOT resources not requiring internet access (e.g., security cameras)
10.72.57.0 – VLAN 7: general users connecting by WiFi
10.72.58.0 – VLAN 8: guest users connecting by WiFi

I don’t want the local services (VLAN 2) connecting with any other VLAN but I do want them to have internet access, so I will turn off interVLAN routing for VLAN 2. That’s fine.

I don’t want the cameras to have access to the internet or other VLANs and will use VPN for remote access. So I will turn off interVLAN routing for VLAN 5 and also deny internet access for VLAN 5.

It gets more complicated for some other VLANs. Specifically…

I want to restrict VLAN 3 from accessing other VLANs, except
I want both users (VLAN 7) and guests (VLAN 8) to have access to VLAN 3

Questions / options – which of the following will work and is best…

I could leave interVLAN routing ON for VLAN 3 but use local firewall rules to deny access to subnets besides those for VLAN 7 and 8 (and the default LAN), e.g., DENY connections to subnets for VLANs 2 and 5.
I could turn OFF interVLAN routing for VLAN 3 but use local firewall rules to allow access from the subnets for VLANs 7 and 8 to the subnet for VLAN 3. This of course only works if firewall rules overrule settings for interVLAN routing.

Suggestions? Thanks.

MB

sitloongs · August 23, 2018, 5:11pm

I would suggest to use firewall rules to control the access.

Option 2 is not applicable here because when you turn off interVLAN routing, traffics for the VLAN will not route to other VLANs.

mjb87 · August 24, 2018, 4:46am

Thank you. Very helpful. It sounds like I should enable InterVLAN routing and then use DENY rules in the firewall to isolate subnets. Quick follow-up…

If I want to isolate two VLAN, do I need two different DENY rules, one in each direction (source/destination)?

sitloongs · August 26, 2018, 9:50pm

Yes, you need to have 2 rules to work on this.

Example:

VLAN_A
VLAN_B

Internal Network Firewall Rules:
Rule 1 : VLAN_A —> VLANB Deny

The above rule block A to B

Rule 2: VLAN_B —> VLAN_A Deny

The above rule block B to A

mjb87 · August 28, 2018, 2:18pm

Thanks. Got it.

I have set up the VLANs. However, users on VLAN 5 can’t see system resources on VLAN 3 (think LAN-connected thermostats or other sensors). Inter-VLAN routing is on for all VLANs. I have also set the default internal firewall rule (for now) to Allow All. Just in case, I’ve also set up explicit rules allowing subnet x.x.3.x (VLAN 3) access to subnet x.x.5.x (VLAN 5) and vice versa.

What am I missing?

sitloongs · August 29, 2018, 12:29am

Some application is design to run under layer 2 network (same network) only. Do your application support to run over layer 3 routing ? Do you able to ping from VLAN3 to VLAN5 or vice versa ?

mjb87 · August 29, 2018, 8:09am

Thanks. You are correct. It is an issue only with applications running L2, e.g., Sonos and AppleTV. I can ping the devices from the other subnets, just not access the services. So I’ll need to rethink the VLAN design unless a way can be found around this. From what I’ve seen this might be possible with AppleTV but not with Sonos.

mldowling · August 30, 2018, 4:58am

Hello @mjb87,
You may like to add you voice to this feature request.

Currently the Peplink & Pepwave routers do not support intervlan routing of Multcast packs as used by the Sonos and other systems.

@MartinLangmaid notes the situation well on his post in the thread.

Happy to Help,
Marcus