Restricted access to VLAN network

Hi there,

I’m relatively new to the Peplink family of products. I have recently configured a Pepwave Surf SOHO MK3 device that is running firmware version 8.0.0 build 1429.

I have setup 2 VLANs. The first is for “trusted devices” (VLAN 10) and the second is for “untrusted devices” (VLAN 20). I have unchecked the option for inter-VLAN communication as I don’t wish to allow devices on either network to communicate.

I have also configured 2 WiFi SSIDs that have been assigned to each of the respective VLANs.

I have a requirement to allow communication of selected devices on VLAN 10 to nominated devices on VLAN 20. For example, I have 2 devices on VLAN 10 that need to be able to communicate to a single device on VLAN 20.

The devices on VLAN 10 are both wired and wireless and the device on VLAN 20 is wireless.

What configuration do I need to enable on the Peplink SOHO router?

This is a bit over my head, but I believe the internal firewall rules are what you need. Or, if the communication is rare, then have a wifi device switch vlans by switching SSIDs.

1 Like

Thanks Michael. It would be valuable to know how to configure the internal firewall rules. I have attempted to implement it by specifying all ports, the source (VLAN 10 IP address e.g. 192.168.50.11) and destination (VLAN 20 IP address e.g. 192.168.51.100) addresses, however it fails. For example, I am unable to ping or reach the device.

To start– make sure you have disabled Inter-VLAN routing. Navigate to Network > LAN > Network Settings > LAN > [VLAN 10|20] > Network Settings > Inter-VLAN routing. Disable the option, click the Save button then Apply Changes.

You need to disable this option so it does not conflict with the rules you are setting with the internal firewall.

====================================


The above configuration would allow any client on the trusted network to initiate communication with any client on the untrusted network. Any unsolicited communication originating from the untrusted network would be blocked. This effectively replicates Inter-VLAN routing, but only in one direction: from the trusted network to the untrusted network.


The above configuration would allow any communication (including ping) from the specified client on your trusted VLAN (192.168.50.11) to a client on your untrusted network (192.168.51.100). Note that a ping in reverse – from 51.100 to 50.11 – will fail. Any other client on your trusted network will not be able to ping or other communicate with a client on the untrusted network.


The above configuration would allow a client on the untrusted network (192.168.51.100) to find and communicate with a network print server on UDP/TCP 631 running on the trusted network at 192.168.50.11. Note that all other communication between those two clients will be blocked. For example, the client on the untrusted network would not be able to locate a webserver running on the trusted network client despite having access to the print server on the same device. A ping from the trusted network client to the untrusted network client would fail.

2 Likes

Thanks louisbohn. This is very helpful. I followed the instructions to the letter to limit the communication of a single IP address between the networks e.g. trusted VLAN (192.168.50.11) to a client on your untrusted network (192.168.51.100) however it fails. When attempting to ping, it responds with “Request timed out”.

I had noticed that in the screenshots, the default rule had been disabled. The default rules on the device I have was enabled. I had assumed that if inter-VLAN communication had been disabled (unchecked), the default rule would not have any implications. I have however disabled it so that it reflects the screenshots.

The second observation is that when I select “Apply Changes”, the page redirects to the “Dashboard” and for a brief moment the CPU load spikes to a 100%. I take it that this is expected.

The default rule is changed from Allow to Deny. This is different than Disabling a firewall rule. I don’t believe the Default firewall can be disabled like the other rules.

My notes to disable Inter-VLAN Routing may be incorrect. Reenable that option and test again. Also be sure you are running the ping command on 192.168.50.11 ==> 192.168.51.100. You will not be able to run the ping command on 192.168.51.100 ==> 192.168.50.11 with this configuration.

Is the device you are attempting ping configured to accept pings? Some Windows installations drop ICMP pings by default. I believe Windows 7 & Windows 8.x Home installations would not respond to pings with the default Microsoft settings but Professional/Enterprise installations would.

2 Likes

Apologies louisbohn. Yes, you are correct i.e. it’s set to Deny rather than Disable.

I would like to avoid the ability for traffic from the trusted network communicating to devices on the untrusted network. Wouldn’t enabling inter-VLAN result in this or is the understanding that if the default internal firewall is set to Deny all traffic that it would restrict uni-directional communication between 192.168.50.11 ==> 192.168.51.100? Yes, I am not expecting 192.168.51.100 ==> 192.168.50.11 to work and nor did I try.

Is the device you are attempting ping configured to accept pings? Some Windows installations drop ICMP pings by default. I believe Windows 7 & Windows 8.x Home installations would not respond to pings with the default Microsoft settings but Professional/Enterprise installations would.

Yes, the device is configured to accept pings. It’s a printer.

Assuming two PCs on VLAN 10 (with IPs of 192.168.10.10 & .11) need access to printer on VLAN 20 with an IP of 192.168.20.100 - create following ruleset on internal rules:

2 Likes

Thanks Martin. I followed the example with the details below and it fails. When attempting to ping, it returns the message “Request timed out”.

Please note that I have not enabled inter-VLAN communication as I would like to restrict communication between specific devices. I take it that it does not matter if one of the devices is connected via Wi-Fi and the other via ethernet.

I am also unsure why a rule needs to be created from the printer to the end user device since I would expect the request to be uni-directional.

Can you try to changing the inter-VLAN to enabled.
I believe this is required for the routing portion to work.
Your Default deny rule on the internal network, should block anything that’s not allowed above.

1 Like

Thanks Jonathan. Does inter-vlan need to be enabled on both VLANs or just the source or the destination?

The last post here: Inter-VLAN Routing Back and Forth
describes it the best.
In short you need it enabled on both, then add the rules to allow the traffic you desire with a default deny rule.

1 Like

Thanks. The comment isn’t precise though since it reads " If you need the devices in VLAN1 access devices in VLAN2 & VLAN3 but not the other way round, then it is recommended to use the Internal Network Firewall Rules for advanced control the access between VLANs." in the post.

This suggests that it can be achieved without inter-VLAN being enabled.

That worked Jonathan. Out of curiosity, why do the firewall rules need to be bidirectional?

Because traffic is bidirectional. If you send a ping to a target, the target needs to reply back to you.

1 Like

Thanks Martin. The response occurs either way. I currently only have a single rule from the PC to the printer and there is a successful ping response. If yes,why is there a need for another rule from the printer to the PC?

Ah yes of course. Thats because the Peplink firewall is stateful. If traffic passes in one direction then the firewall assumes it is allowed to come back.

I do have firewall rules in place to allow my printer to initiate a session because most modern network printers are bidirectional in nature. My multi-function printer here can send scans to PC’s and NAS devices, so I generally always allow the response back for those instances where the printer is the initiator of the traffic.

2 Likes