I have a setup with several VLANs and all gateways hosted on a vyatta (sub interfaces).
Here is the network diagram :
What I would like :
[list]
[]Isolate VLANs from others
[]Give Internet access for each VLANs
[*]Default drop (better security, don’t have to change my ACL if I will add another VLAN)
[/list] So here is what I have done :
My ACLs :
name V10_FW_INSIDE_OUT {
default-action drop
description "ACL for VLAN 10"
enable-default-log
rule 1 {
action accept
description "Accept - All packets established/related from vlan 10 - Internet needs"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "Accept - All packets from vlan 10 to Pfsense - Internet needs"
destination {
address 172.16.0.30/30
}
}
}
Applied on my interface :
ethernet eth2 {
hw-id xxxxxx
vif 10 {
address 192.168.10.254/24
description VLAN10
firewall {
in {
name V10_FW_INSIDE_OUT
}
}
} Results :
My VLAN 10 is isolated from all others.
But I can’t access to Internet from my VLAN 10. I was thinking to be able to access to it with a permit ACL to my vyatta-pfsense subnet (default route), but it’s not the case.
I know that with a default accept and if I deny all my VLANs subnet, it should work for Internet.
But it’s not the best practice I guess (if I add a VLAN, I have to change my ACL). My question :
What am I missing to get an access to Internet with my current ACLs ?
16again, yes I can do a default accept, but it’s not what I want because if we add another VLAN, we will have to change our ACL.
With a default drop, we won’t have this issue. It will be easier, but I don’t know how to do that. To allow an access to Internet in this context.
Of course you can use a default drop rule. But then you have to configure individual rules for all traffic that you want allowed, and in the end you might end up with an…allow any any rule
I would prefer the solution from 16again.
But you can also use a firewall rule with default action deny and an allow rule with “set destination address !192.168.0.0/16” (for all vlans).
Is it possible to have one acl rule with multiple network group destination inside ?
For example :
rule 2 {
action drop
description "Drop - All packets from vlan 13 to all other vlans"
destination {
group {
network-group group_1
network-group group_2
network-group group_3
}
}
}
Or if it’s not possible, I would like to have one group with mutiple network group inside.
My goal is to have only one rule and to keep easier the management in the future.