Internal VLAN routing


I have a Pepwave MAX HD2 with multiple VLAN. On the the admin VLAN I’m running a internal web server. I want the VLAN for crew to be able to access only this web server from from VLAN crew.

Tick the “inter VLAN routing” option on both the admin and crew VLANs - this will permit traffic between the two subnets to be routed via the Peplink, and is normally enabled by default so assuming you’ve done no other configuration and the hosts are all correctly configured this should “just work”.

As you only want to allow access from the crew VLAN to one specific host in the admin VLAN you would then need to create a firewall rule to restrict access so that traffic flowing from the crew VLAN can only communicate with the address of the web server.

Hi, but then i open all traffic from crew VLAN to Admin VLAN. I don’t want crew to get access to other stuff on the admin VLAN.

Yes it will, and I addressed that issue in my reply. Do you need help making the firewall rule, if so you will need to share some more information like the subnets used for admin and crew vlans and the IP of the web server.

aha! Thanks!

Vlan Admin
VLAN crew



There are two ways to do this, by default the firewall in the Pelink is wide open for internal traffic, so you can either choose to change the default action to deny traffic and then create explicit rules to permit just what you want, or leave the default action as permit and use rules to protect the admin network.

I generally prefer the former as it means you are more in control of what is allowed and stops things accidentally having access you did not expect - such as if you created another VLAN and left that “inter vlan routing” option ticked.

On your Peplink navigate to where the firewall rules are configured, probably under Network > Firewall > Access Rules

Under the “Internal Netowrk Firewall Rules” list click the “Default” rule and change that action to “Deny” - this should stop traffic between the VLANs by default and check that you’ve not got access to the server from the crew network.

If that works as intended then now we need a rule to permit the traffic, add a new rule that looks like this:

You could be more specific with the protocol selection than the example above, and just permit a specific destination port be allowed (source port from clients will almost always be “any”).

I also like to enable logging for new rules so if there is a problem you can see the traffic matching the rule in the event log, but I’d normally turn that off once things are working in most instances.

If you have other VLANs that need access to resources outside of their own subnets you may need to create some extra rules anyway as the default action is now to deny traffic.

Bear in mind that the rules are processed top down in order, first one to match traffic is applied, so if you add more rules over time consider the order and how specific they are - entire subnets vs single hosts as source or destination - and you could also use grouped networks if you needed multiple VLANs to have similar access.


Thanks! Worked like a charm!