Firewall between VLANs

I have a Surf Soho and want to start using VLANs. Ideally I would have VLAN 20 (say computer) be more secure than VLAN 10 (say printer). That is, I want devices on VLAN 20 to be able to talk to devices on VLAN 10, but devices on VLAN 10 can not INITIATE communications with devices on VLAN 20. If I block all 10 → 20 packets, then two-way communications initiated by VLAN 20 are blocked. I would like to use the Surf’s firewall for stateful packet filtering.

But I can’t figure out how to configure the Surf to allow this. Is there any way?

Hi Scottgerard,

What I do in such a case is activate Inter-VLAN routing on both VLAN’s 10 and 20:


Then in the firewall I create an ALLOW rule from subnet VLAN 20 to subnet VLAN 10 and a DENY rule from subnet VLAN 10 to subnet VLAN 20. For the Untagged subnet you may disable Inter-VLAN routing or chose to work the same way.

Does this help in your case ?

Kind regards,


After some more research, I believe the most appropriate question is whether the Soho’s firewall is “stateful”, because I want response packets to flow from 10->20, but initiating packets to be denied for 10->20 flows.

The user manual doesn’t say one way or another, so I assume the Soho Surf’s firewall is NOT stateful. Is that correct?

Any recommendations on the next higher Peplink router that does have a stateful firewall for a small office environment?

All peplink firewalls are stateful.

Svens approach is the right way to do it.

1 Like