Best way to isolate all interfaces from each other

Lasko · January 2, 2021, 3:55pm

Hello,

what is the best way to isolate all interfaces from each other (Lan Wifi).
What I did: Under "Switch" and created separate VLANs for each Interface and assigned those to my interfaces. Each interface has a different subnet: 192.168.1. ..., 192.168.2. ..., 192.168.3. ..., ...

Also also set the firewall input and forward from each zone (besides LAN1 - only interface I want to access the Router via SSH) to "reject" and only alloewd DNS and DHCP via a separate traffic rule.

Is there anything I should also do?

Thank you for your help.

Cheery,
Lasko

trendy · January 2, 2021, 4:13pm

You could merge all the interfaces but lan1 into one zone with INPUT and FORWARD drop/reject.
Other than that you are fine.

Lasko · January 2, 2021, 6:30pm

Thank you. I will test it later

Lasko · January 10, 2021, 9:23pm

I was wondering, if you could help me understand how it actually works. I still didn't really get the meanings of the zones and how it works. I tired to understand the documentation, but I still didn't get it

So what I have done now:

NOLAN: covers all interfaces except lan
If I understand correct, this means that every traffic which is incoming to all interfaces covered by NOLAN is dropped.
E.g. In NOLAN, there is a network called WIFIGUEST. When a device from lan tries to access a device in WIFIGUEST, this request will be dropped?

In my case, I then need to turn it around and create another firewall zone for lan with input drop.
Or did I understand something completely wrong?

One more question: The router - Is it part of lan zone?

Thank you very much for your help.

trendy · January 10, 2021, 9:58pm

In this example you allow forwarding from NOLAN zone to lan. Traffic to the router is dropped (INPUT). Traffic from the router is allowed (OUTPUT). Traffic between the zone interfaces is dropped (FORWARD).
The first one doesn't seem correct to me, but I cannot say for sure if I don't see the whole picture.

Lasko · January 11, 2021, 9:31am

Okay, that is definitely not what I wanted to do. But I think I now got the concept.

So I am correct that I do not need the last rule I have added? And to sum it up:

Input: Traffic from the zone to the Router and not from the zone => zone (nolan => lan)
Output: Traffic from the Router to zone
Forward: Traffic from the zone to other zones

When I look at the picture below with the all the zones, this means, that I allow all traffic in general from each zone to wan, but mostly reject the traffic from the zone to the router and reject the traffic to the other existing zones:

If yes, then I only have to remove the last entry (nolan => lan). Forwarding is set to reject on all zones.

Or is it only between the interfaces in one zone? If yes, than I need to create a new zone with all interfaces including lan: ALL => Reject (like the second entry) with Input and Forwarding "Drop". But this means, because lan is included, that my devices from lan are no longer able to access the router and they have to.
If I do not include lan, than the other interfaces can still access lan and I need to setup traffic rules in this scenario for SSH and Ports 80 and 443.

I really appreciate your help.

trendy · January 11, 2021, 11:55am

Wrong, it is the intrazone traffic, that is traffic between the interfaces of the same zone.
For interzone traffic there are forwardings.

That also depends on the default policy you have and is not visible, it is at the top of the screen.

The way you describe it, you can combine all the interfaces except lan in one zone, call it nolan, which has forwarding to wan only, input and forward reject, output accept. Allow the DNS and DHCP with rules for this nolan zone.

Lasko · January 11, 2021, 2:18pm

You mean these settings:

I haven't change anything here.

Okay, so if there is no forwarding to a specific zone, than no traffic is possible between the interfaces. The Forwardings are (when last last one is deleted (nolan => lan)) only set from the zones to wan, which means, that no interzone traffic is possible and e.g. WIFIBUS can not access lan. Correct?

Because I set Input to reject on all Forwardings to wan (except lan), I have already setup Traffic Rules for DNS and DHCP for all interfaces.

94121-usr · January 11, 2021, 2:56pm

I use LAN as a management/trusted zone and added "zone -> forwardings" so the wireless APs can be accessed.

trendy · January 11, 2021, 4:26pm

... between the zones.

The Forward in General Settings is reject, so by default interzone traffic is rejected. Only the Forwardings you have allowed are accepted.
Since you have the same settings to all zones except lan you can merge them all in one zone containing all the interfaces.

Fixed

Lasko · January 11, 2021, 7:58pm

Alright, now I got it. Here are now my new settings:

In General "Forward" is dropped - so no traffic between zones nolan and lan is possible.

All interfaces except lan are combined in zone nolan. Because Input is set to drop, traffic to the router is dropped and because forward ist set to drop, no traffic between the interfaces of zone nolan is possible. Only the traffic from zone nolan to wan is allowed (nolan => wan).

For the zone nolan I have setup traffic rules to allow DNS and DHCP to the router.

Now my Setup is complete and I understand how the firewall zones work. Also I simplified the settings a lot with the combined nolan zone.
Thanks a lot.

trendy · January 11, 2021, 8:02pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · January 21, 2021, 8:02pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.