Problem with inter-VLAN routing

Somehow I cannot wrap my head around it.

I have a Balance One and six VLANs, of which one is for my trusted traffic, one for guests, and the others for untrusted traffic (camera’s and IoT devices). In this setup I am having troubles with inter-VLAN routing. What I want to achieve is that my trusted VLAN can access devices in the IoT VLAN. For the trusted VLAN I have ticked “inter-VLAN routing”, for the IoT I left it unticked.

I expected that in this setup I could already reach the IoT VLAN from my trusted one. But I can’t. I then added an internal routing firewall rule to allow trusted-vlan/24 to iot-vlan/24. But even with that rule it does not work (and that was to be expected, knowing how the default rule is already allowing all).

According to this post, I can achieve this by ticking “inter-vlan routing” on the IoT VLAN. But I do not want to do that because it would allow untrusted devices to access trusted VLANs. The solution to that is to set the default internal routing firewall rule to deny, but I cannot do that because it would stop my FusionHub from working (see this post).

What’s the solution here?

How are the internal firewall rules configured currently? They can be specific for each VLAN so the IoT VLAN cannot access the trusted LAN, but still has access through the FusionHub.

Hi @Ron_Case Please see this screenshot:

6 → my trusted VLAN
12 → IoT VLAN
16 → Cam VLAN

All help appreciated!

The trick here is to remember that rules are processed and matched top down. Then write out the logic which might be:

  1. Guest User > Just Internet: Only allow Guest users VLAN to access the internet and nothing else.
  2. Camera > NAS Access: Only allow two IP cameras (.30 & .31)on the IP cameras VLAN to access the NAS (.10) on the trusted VLAN
  3. Trusted Users > IoT Access: Only devices on trusted VLAN can access IoT devices on the IoT VLAN

For this example lets say:

  • Guest VLAN: 172.16.1.0/24 (note I am intentionally using a different address space / class of network here)
  • IP Cameras VLAN: 192.168.16.0/24
  • Trusted VLAN: 192.168.6.0/24
  • IoT VLAN: 192.168.12.0/24

Navigate to Misc Settings > Grouped Networks and add the following seven entries (this makes the firewall rules easier to read later):
image

Then do the following:

Guest User > Just Internet: Two approaches either uncheck inter VLAN routing on this VLAN or add a firewall rule that has source set to Guest VLAN and then a destination that is either another network group which has all your non guest networks in it eg
image

or a supernet as a group network that covers all the other subnets:

(image )

I prefer the supernet approach so that if I add another VLAN in the 192.168.x.x space Guests will be blocked from accessing it without me needing to remember to add it to the ‘Non Guest Networks’ group.

2. IP Cameras > NAS: First we block IP Cameras from accessing anything else, then we allow two cameras to access the NAS.

3. IoT Network only accessible by Trusted Network Users: First we block access to the IoT network by all, then we allow trusted devices to access it.

The end config for this example looks like:


Look how clean and easy to read that looks! :heart_eyes:

4 Likes

Wow @MartinLangmaid thanks for your thorough answer on this one. Sometimes it’s really simple… Just some work to add all the rules. I thought the grouped networks were really networks and couldn’t be collections of IPs. Learned something today again! Thanks