Simple VLAN routing / firewall question

Hi,

I have VLAN 1 using IP range 192.168.0.x as a primary network.

A web server accepting incoming requests from the internet is on VLAN 3 using IP range 192.158.10.x.

Inter-VLAN routing is disabled.

I want to keep the web server VLAN3 fairly walled off from the primary network, with the exception of web and RDP traffic (ports 80, 443, and 3389) from VLAN 1 machines to the VLAN 3 server.

For example, a client on VLAN 1 should be able to open a web page on the VLAN 3 server using the public Internet IP address.

The connection is failing currently, I assume because Inter-VLAN routing is disabled.

How can I allow web and RDP traffic from VLAN 1 to VLAN 3 while blocking everything else on VLAN 3?

Thanks!

  1. Enable Inter-Vlan Routing
  2. Create a rule that blocks all traffic from VLAN 1 to VLAN 3
  3. Create individual rules that allow just http,https and RDP to the IP of the server

For example (server is 192.168.10.10 in this example):

1 Like

That makes perfect sense now that you’ve laid it out for me :slight_smile:

I also added
Deny 192.168.10.0/24 --> 192.168.0.0/24
because my main concern is stopping anything malicious from the 192.168.10.10 web server box that is exposed to the internet. Does that look right?

Thanks for your help!

2 Likes