VLAN device specific rules across VLANs - Balance One Core


#1

My son, who works in enterprise security software is used to configuring firewall rules in such away as to describe the state of traffic - e.g. allow stated or related traffic, so that if you have a network printer on a particular VLAN, you can restrict the printer from communicating with other devices unless the other device IP has contacted the printer first. In other words, the printer can talk across VLANs and within a VLAN but cannot initiate a session with another device or the Internet (although the Internet could be blocked through a specific firewall rule related to that particular IP or MAC address.

Is there any way to set rules to restrict the initiation of communications by a device but still allow it to communicate back when contacted? This is important for printers (where you want to be able to see status monitors) as well as a number of other devices (like cameras) that you would not want initiating sessions with other devices on the network.

Is it possible to set such rules in any way using a Balance One Core?


#2

Hi Keith,

I will assume you had separate those IoT devices into separate network and this will allow you to use the firewall feature to control the access.

Below are the sample network setup & firewall rules that you can define to achieve the mention blocking:

Network Setup:
VLAN LAN: 192.168.50.0/24
VLAN IoT: 192.168.51.0/24

Firewall Rules:

Outbound Firewall Rules (Internet):

  • VLAN IoT: 192.168.51.0/24 deny access internet any
  • Default - allow all

Inbound Firewall Rules:
Not related if no Public Access to LAN or IoT

Internal Network Firewall Rules:
VLAN IoT: 192.168.51.0/24 deny access VLAN LAN: 192.168.50.0/24
Default All all for other traffics

Sample Firewall rules:

With the above firewall rules you can control access IoT devices initiate any connection to internet or access to LAN devices.

Thank You