Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Challenges with VLAN device rules to prevent outgoing LAN access but allow incoming LAN access

Follow
Avatar
kb

I have a VLAN with a single device in it. This device is exposed via the WAN and I'm having trouble configuring rules and having them work as expected.

Essentially, I want to block all outgoing network to all LANs (in the event that the device becomes compromised) but allow all other LAN requests into the VLAN/Device and initiate communication.

Right now, I'm focusing on the device in question and have two rules set up:

The first one is to block traffic to all local networks. When I do this, nothing can communicate with the device and it can only be access through the WAN. 

The second is an allow rule that allows traffic from all local networks. This initially works as expected my local devices can connect to the device, but shortly after the rule is added vocal devices begin being blocked. When I diagnose the block, it states that the block is because traffic to all local networks is denied.

Is there a way to achieve what I am trying to do in that the device should not be able to provoke any communication but allow others to communicate with it?
 

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Firewalla CM

    Hi kb, it sounds like you have the right idea. The only issue is that, it's possible your device may be trying to send legit responses back to the LAN, but is blocked by the "Block Traffic to All Local Networks" rule.

    Do you know the specific devices that need to communicate with this device? If so, you could try making specific, bi-directional allow rules for those devices only. Here's an example with VLANs: https://help.firewalla.com/hc/en-us/articles/39368161848467-Firewalla-Zero-Trust-Best-Practices-and-Examples#h_01JP8DABBCXP48J63084AARTRB

    If you're using the Firewalla AP7, you can even more simply enable VqLAN and Device Isolation on that device, then add Allowed Devices for specific local traffic. 

    0
    Comment actions Permalink
  • Avatar
    kb

    OK, sounds like I can't be general or generic about the rules. They need to be explicit to allow legit two way communication. I do have AP7, but this device is hardwired. So until y'all release a switch, I don't think that is an option for me.

    I was hoping to avoid devices specific rules because I have quite a few devices that should communicate with this media server, but I understand why the network might not realize an outbound communication was invoked by a LAN device.

    I'll dig in to the article you shared a configure it at the device level.

    Thank you for taking the time to reply.

    0
    Comment actions Permalink
  • Avatar
    kb

    Actually, communication is done on a specific port. If I focus on that port, can the rules be simplified?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post