[ACL-Default drop] Isolate VLANs but access to Internet


#1

Hi guys,

I have a setup with several VLANs and all gateways hosted on a vyatta (sub interfaces).

Here is the network diagram :

What I would like :

  • Isolate VLANs from others
  • Give Internet access for each VLANs
  • Default drop (better security, don’t have to change my ACL if I will add another VLAN)

So here is what I have done :

My ACLs :

name V10_FW_INSIDE_OUT { default-action drop description "ACL for VLAN 10" enable-default-log rule 1 { action accept description "Accept - All packets established/related from vlan 10 - Internet needs" state { established enable related enable } } rule 2 { action accept description "Accept - All packets from vlan 10 to Pfsense - Internet needs" destination { address 172.16.0.30/30 } } }
Applied on my interface :

ethernet eth2 { hw-id xxxxxx vif 10 { address 192.168.10.254/24 description VLAN10 firewall { in { name V10_FW_INSIDE_OUT } } }
Results :
My VLAN 10 is isolated from all others.
But I can’t access to Internet from my VLAN 10. I was thinking to be able to access to it with a permit ACL to my vyatta-pfsense subnet (default route), but it’s not the case.
I know that with a default accept and if I deny all my VLANs subnet, it should work for Internet.
But it’s not the best practice I guess (if I add a VLAN, I have to change my ACL).
My question :

What am I missing to get an access to Internet with my current ACLs ?

Thanks a lot for your help guys.


#2

Hello,
for vyatta support you better to contact with brocade,
they changed a lot of things in vyatta.


#3

Thanks for the reply syncer.

I read the vyos doc, and there are not a lot of differences between vyos and the vyatta for the firewall part.
I was thinking to find some help here.

It should be the same logic, how will you do on vyos for my question ?

Thanks a lot :slight_smile:


#4

I guess i had wrong start,
tell me please which version you have?
Thanks!


#5

Make a firewall rule set like:

default action allow
rule 10 allow established/related
rule 20 block traffic destined to 192.168.0.0/16

Apply this rules set to all VLAN interfaces, type “firewall in.”


#6

Thanks for your help.

Here are all information :

Version: VC6.4-2012.05.31
Description: Vyatta Core 6.4 2012.05.31

16again, yes I can do a default accept, but it’s not what I want because if we add another VLAN, we will have to change our ACL.
With a default drop, we won’t have this issue. It will be easier, but I don’t know how to do that. To allow an access to Internet in this context.

Thanks,


#7

If you add another LAN in the 192.168.x.x range , my suggested rule 20 will block it


#8

Yep it’s an idea, thanks 16again !

But do you think we can use an ACL with a default drop ? Or it will be difficult to implement.

Have a nice day :slight_smile:


#9

Of course you can use a default drop rule. But then you have to configure individual rules for all traffic that you want allowed, and in the end you might end up with an…allow any any rule


#10

Yep if there are magical rules to drop all traffic by default, and to allow only Internet it will be perfect ^^

But from what I see, if I’ll do that, I’ll have to allow all public IP ranges, and it will be a mess.

Thanks a lot 16again :slight_smile:


#11

I would prefer the solution from 16again.
But you can also use a firewall rule with default action deny and an allow rule with “set destination address !192.168.0.0/16” (for all vlans).


#12

Hi,

Is it possible to have one acl rule with multiple network group destination inside ?
For example :

rule 2 { action drop description "Drop - All packets from vlan 13 to all other vlans" destination { group { network-group group_1 network-group group_2 network-group group_3 } } }

Or if it’s not possible, I would like to have one group with mutiple network group inside.
My goal is to have only one rule and to keep easier the management in the future.

Thx a lot for your help,