Firewall between VLANs

I have a Surf Soho and want to start using VLANs. Ideally I would have VLAN 20 (say computer) be more secure than VLAN 10 (say printer). That is, I want devices on VLAN 20 to be able to talk to devices on VLAN 10, but devices on VLAN 10 can not INITIATE communications with devices on VLAN 20. If I block all 10 -> 20 packets, then two-way communications initiated by VLAN 20 are blocked. I would like to use the Surf’s firewall for stateful packet filtering.

But I can’t figure out how to configure the Surf to allow this. Is there any way?

Hi Scottgerard,

What I do in such a case is activate Inter-VLAN routing on both VLAN’s 10 and 20:

image

Then in the firewall I create an ALLOW rule from subnet VLAN 20 to subnet VLAN 10 and a DENY rule from subnet VLAN 10 to subnet VLAN 20. For the Untagged subnet you may disable Inter-VLAN routing or chose to work the same way.

Does this help in your case ?

Kind regards,
Sven

2 Likes