Question about traffic to/from rules between two network segments
I have Firewalla Gold in router mode. I have two LAN network segments: LAN A and LAN B.
If I have a network-level rule for LAN A that allows traffic from LAN A to LAN B, is this the same as having a network-level rule for LAN B that allows traffic from LAN A to LAN B? If not, what is the difference?
To try to clarify, do the following:
1. Network rule for LAN A: Allow traffic to LAN B
2. Network rule for LAN B: Allow traffic from LAN A
Have the same effect?
Thanks!
-
Hi Timt,
Great question. By default, traffic is allowed between LANs.
If you want to allow traffic from LAN A to LAN B, but not LAN B > LAN A, you can simply add the following ON LAN B:
BLOCK all traffic matching to LAN A.
This doesn't say anything about traffic from A > B so you could leave it at that. But it also means other networks can do whatever they want: B can be reached any other network you later create and B can reach any other network.
If you want stricter access control, you could add these ON LAN B:
- BLOCK all traffic matching from or to All Local Networks AND
- ALLOW traffic from LAN A (but no other network)
Now B won't be able to talk to any other network and only LAN A will be able to talk to LAN B. Another benefit to this approach is If you later add other LANs or VLANs you won't have to adjust the rule. This assumes you want similar behavior for the other networks, of course.
I also prefer the second approach because it is more clear to me what the intent was. Once you define a few rules it will become easy to lose track if things aren't clear.
This article https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules goes over Rule precedence.
Please sign in to leave a comment.
Comments
1 comment