I’m still struggling to get the right firewall rules for complete and total isolation of the “untrusted” networks from my private networks behind the SOHO WAN port. For starters, here is the topology of the rather basic double-NAT setup I am working with:
—>Cable Modem—>EdgeRouterX 192.168.1.1—>Pepwave SOHO 192.168.1.x—>Private Networks (UntaggedLAN and then 7 private VLANs each in 10.10.X.1 notation where X is VLAN # eg 10.10.20.1 ; 10.10.30.1; et al)
I want to strictly block ALL traffic behind the “WAN” port other than internet traffic destined for any network on this side. I also want to block ALL traffic to internal hosts OUT that WAN port (that is, internal hosts in front of the SOHO other than 192.168.1.1 ER-X router) and I want each VLAN (all 7 of them) to be 100% isolated from all of that AND from each other AND from the Untagged LAN.
This seems difficult because Pepwave defaults pretty much allow anything and everything and I am trying to BLOCK pretty much anything and everything, so I’m fighting constantly to lock things down - without breaking of course. I had made some errors previously because my web browsers were acting funky (I had accidentally blocked all traffic to and from 192.168.1.1 which apparently wasn’t liked).
There was another user here recently with something similar and a DSL modem/router in double-NAT configuration but the IP ranges did not match mine so I wasn’t able to really zero in on the proper rule sets for each section to use. Basically I’m adding rules until it breaks, revert, try again. The odd thing is that some of the rules I had mistakenly used SHOULD have broken the entire system on my side but traffic continued to flow - albeit with some browser issues and other small issues here and there but mostly everything still worked which I’m puzzled on…but for now I’d just like to get locked down tight and SOHO is a fight the entire way because it wants to allow pretty much anything in and out and across internal networks.
Example, VLAN isolation is not total isolation. Even when inter-VLAN routes and “Layer 2 Isolation” are both enabled, a simple FING scan of the VLAN reveals all devices on that VLAN easily. This should not be possible. I had to specifically write rules targeting traffic inside the VLAN to prevent this. Puzzled on this aspect as well. The firewall does not appear to work as I believe it should, in either of these cases.
Any help would be appreciated - I need concrete rule sets to plug in which target the requirements I stated up top. Total isolation of both other internal networks ahead of the SOHO, and Total isolation of both devices individually AND networks (other than the untagged LAN on my side) for this side of the SOHO.