Hi, I’ve got a Balance 20x with two VLANs on it. 192.168.1.1 is the native, trusted network and 192.168.2.1 is the semi trusted network. I want both to be able to get out onto the Internet, which they can, but I only want internal comms between these two networks to go one way:
ALLOW ANY PROTOCOL from 192.168.1.0/24 → to 192.168.2.0/24
DENY ANY PROTOCOL from 192.168.2.0/24 → to 192.168.1.0/24
So, I ticked the box on both networks for ‘Inter-VLAN routing’ and proceeded to setup the Internal Network Firewall Rules as above. From a host on 192.168.1.0/24, I can ping the router ip address for the semi-trusted VLAN 192.168.2.1, as expecetd. However, I can also still ping 192.168.1.1 from the 192.168.2.0/24 network. I would have thought I shouldn’t be able to do this…?
I should add, I am also using a Cisco switch that has both VLANs present on it too. Both VLANs are trunked to an uplink port on the switch and then other ports are setup as simple access ports for either VLAN 1 or VLAN 2. The trusted device is connected direct to the Balance 20x via an access port for the native, trusted network. The other semi-trusted device is connected to an access port on the Cisco 2960.
I’m baffled as to why this is not working. It used to work fine before I introduced the switch. Any help or advice would be sincerely appreciated.
It was a long day yesterday and after attacking this with fresh eyes earlier this morning, I’ve realised there was actually… No problem!
From a host in the trusted 192.168.1.0/24 network, I’m able to ping the router interface of 192.168.2.1 and other hosts in the semi-trusted 192.168.2.0/24 network, as expected.
From a host in the semi-trusted 192.168.2.0/24 network, I’m able to ping the router interface of 192.168.1.1 BUT IMPORTANTLY NOT, the other hosts in the trusted 192.168.1.0/24 network. Since I was still pinging the router IP 192.168.1.1 - I got target fixation and blinkered everything else out.
I don’t know why I didn’t try this yesterday, think I just got fixated on the gateway IPs and expected them to behave the Cisco way. Anyway, sorry for wasting anyone’s time…
Last night after I posted, I even went on to delete the grouped network I’d created to save time in my FW rules. I had grouped the two networks together for the purpose of creating one ruleset for internet access. I subsequently re-created individual rules for each subnet and even took the Cisco 2960 out of the equation and just used the access ports on the Balance 20x. When I got the same result, I was convinved that was a major bug - hahaha! Then I went to bed, annoyed.
I looked again this morning and quickly realised the problem. Double face palm. Thanks to anyone who was thinking about my post and considering a reply!