Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Mesh VPN device rules

Follow
Avatar
Robby

This more or less continues my previous query about setting rules in MSP https://help.firewalla.com/hc/en-us/community/posts/34495864762899-VPN-Mesh-Rules-needed

I'm stuck on how the rules should be set for this simplified real-world example. Imagine this:

1. There are 2 boxes in the MSP mesh: BoxA and BoxB
2. BoxA has VLAN VlanA that has a device BoxA_VlanA_DeviceA. A network rule blocks access to and from the VLAN and other networks
3. BoxB has VLAN VlanB that has a device BoxB_VlanB_DeviceB. This VLAN also has the other-networks blocking rule
4. A mesh VPN device exists as meshVpnDeviceA

So quite simply, what rules would need to be set to allow BoxB_VlanB_DeviceB access to BoxA_VlanA_DeviceA, and meshVpnDeviceA should have to BoxA_VlanA_DeviceA but NOT BoxB_VlanB_DeviceB?

Two things to consider:

1. A dedicated network is created to carry the inter-box traffic, right? When traffic arrives at a box from the mesh network that's headed for a device on network that has the defacto rule 'block to and from other networks' then the mesh network will need an allow-rule to allow the traffic from the mesh network access to the device on the blocked network
2. Mesh VPN devices also live on the mesh network. The rules don't allow for stating the source device of the traffic, and it seems that in the mesh network the source device is even known. So when traffic from meshVpnDeviceA arrives at a box via the mesh network it'll will take advantage of whenever egress rules exist. It's not possible make device-specific rules on the mesh network

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Support Team

    @Robby, If you can reserve IP addresses for your devices, rules can be created to match the device's IP addresses and control access across boxes.

    For example, to block MeshVpnDeviceA from accessing BoxB_VlanB_DeviceB, create a block rule on Box B:

    • Match MeshVpnDeviceA's IP in the mesh network.
    • Apply the rule to DeviceB.

    By default, traffic between networks across the mesh network is allowed. However, if network-level blocking rules are already in place, exceptions can be set. For instance, to allow BoxB_VlanB_DeviceB to access BoxA_VlanA_DeviceA, create a rule on Box A:

    • Match DeviceB's local IP address.
    • Apply the rule to DeviceA.
    0
    Comment actions Permalink
  • Avatar
    Robby

    Hi, How do create a rule to 'match' an IP address? When creating a rule the 'on' is the source, but I see no way defining an IP as a source/on value because a rule's only 'on' values are the networks and devices on the box that the rule is on ?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post