Unable to block Inter-VLAN Traffic

Yes, that's right. This is what I added through traffic rules from Luci interface.

Why did you set the destination as PrimaryVLAN? That traffic is already blocked by the lack of forwarding between the two relevant zones. You want to block access to the router so should be using Device (input) as the destination.

2 Likes

Perfect, thank you so much, I put in the following rules to prevent GuestVLAN and VenuVLAN from pinging each others Gateway's 192.168.10.1 and 192.168.20.1 as well as from being unable to ping the PrimaryVLAN's gateway 192.168.1.1

config rule
        option name 'BlockGuest'
        list proto 'all'
        option src 'GuestVLAN'
        option target 'REJECT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.10.1'

config rule
        option name 'BlockVenu'
        list proto 'all'
        option src 'VenuLAN'
        option target 'REJECT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.20.1'

I really appreciate all the help in getting my setup just the way I wanted it to be... :slight_smile: :smile:

Glad it's working as you wanted. However, if you don't want devices in GuestVLAN or VenuVLAN to access the router then it would be simpler to just use Device as the destination for the rule.

1 Like

They should to be able to get to the router on their own gateway's, just not to other VLAN's gateway's. They need to be able to get to the router because they need internet access through the WAN, also, when I set the Destination to just Device Input without any IP's defined, they weren't even able to get DCHP IP's anymore.

Anyway, the current setup works, and I'm really glad... :smile:

Blocking input access doesn't prevent the traffic being forwarded to WAN, it just prevents access to the device itself. But you're right about it preventing DHCP. You'd need to place an accept rule before it for traffic to port 67 (and 53 if the router is being used for dns).

Going with a rule to prevent device access saves having to lock down individual services. You can leave them at default without worrying about untrusted devices having access.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.