Simple VLAN routing / firewall question

cover · March 30, 2020, 2:10pm

Hi,

I have VLAN 1 using IP range 192.168.0.x as a primary network.

A web server accepting incoming requests from the internet is on VLAN 3 using IP range 192.158.10.x.

Inter-VLAN routing is disabled.

I want to keep the web server VLAN3 fairly walled off from the primary network, with the exception of web and RDP traffic (ports 80, 443, and 3389) from VLAN 1 machines to the VLAN 3 server.

For example, a client on VLAN 1 should be able to open a web page on the VLAN 3 server using the public Internet IP address.

The connection is failing currently, I assume because Inter-VLAN routing is disabled.

How can I allow web and RDP traffic from VLAN 1 to VLAN 3 while blocking everything else on VLAN 3?

Thanks!

MartinLangmaid · March 30, 2020, 2:27pm

Enable Inter-Vlan Routing
Create a rule that blocks all traffic from VLAN 1 to VLAN 3
Create individual rules that allow just http,https and RDP to the IP of the server

For example (server is 192.168.10.10 in this example):

cover · March 30, 2020, 4:05pm

That makes perfect sense now that you’ve laid it out for me

I also added
Deny 192.168.10.0/24 → 192.168.0.0/24
because my main concern is stopping anything malicious from the 192.168.10.10 web server box that is exposed to the internet. Does that look right?

Thanks for your help!