I have a Surf Soho and want to start using VLANs. Ideally I would have VLAN 20 (say computer) be more secure than VLAN 10 (say printer). That is, I want devices on VLAN 20 to be able to talk to devices on VLAN 10, but devices on VLAN 10 can not INITIATE communications with devices on VLAN 20. If I block all 10 → 20 packets, then two-way communications initiated by VLAN 20 are blocked. I would like to use the Surf’s firewall for stateful packet filtering.
But I can’t figure out how to configure the Surf to allow this. Is there any way?
Hi Scottgerard,
What I do in such a case is activate Inter-VLAN routing on both VLAN’s 10 and 20:
Then in the firewall I create an ALLOW rule from subnet VLAN 20 to subnet VLAN 10 and a DENY rule from subnet VLAN 10 to subnet VLAN 20. For the Untagged subnet you may disable Inter-VLAN routing or chose to work the same way.
Does this help in your case ?
Kind regards,
Sven
2 Likes
After some more research, I believe the most appropriate question is whether the Soho’s firewall is “stateful”, because I want response packets to flow from 10->20, but initiating packets to be denied for 10->20 flows.
The user manual doesn’t say one way or another, so I assume the Soho Surf’s firewall is NOT stateful. Is that correct?
Any recommendations on the next higher Peplink router that does have a stateful firewall for a small office environment?
All peplink firewalls are stateful.
Svens approach is the right way to do it.
1 Like