Challenges with VLAN device rules to prevent outgoing LAN access but allow incoming LAN access
I have a VLAN with a single device in it. This device is exposed via the WAN and I'm having trouble configuring rules and having them work as expected.
Essentially, I want to block all outgoing network to all LANs (in the event that the device becomes compromised) but allow all other LAN requests into the VLAN/Device and initiate communication.
Right now, I'm focusing on the device in question and have two rules set up:
The first one is to block traffic to all local networks. When I do this, nothing can communicate with the device and it can only be access through the WAN.
The second is an allow rule that allows traffic from all local networks. This initially works as expected my local devices can connect to the device, but shortly after the rule is added vocal devices begin being blocked. When I diagnose the block, it states that the block is because traffic to all local networks is denied.
Is there a way to achieve what I am trying to do in that the device should not be able to provoke any communication but allow others to communicate with it?
-
Hi kb, it sounds like you have the right idea. The only issue is that, it's possible your device may be trying to send legit responses back to the LAN, but is blocked by the "Block Traffic to All Local Networks" rule.
Do you know the specific devices that need to communicate with this device? If so, you could try making specific, bi-directional allow rules for those devices only. Here's an example with VLANs: https://help.firewalla.com/hc/en-us/articles/39368161848467-Firewalla-Zero-Trust-Best-Practices-and-Examples#h_01JP8DABBCXP48J63084AARTRB
If you're using the Firewalla AP7, you can even more simply enable VqLAN and Device Isolation on that device, then add Allowed Devices for specific local traffic.
-
OK, sounds like I can't be general or generic about the rules. They need to be explicit to allow legit two way communication. I do have AP7, but this device is hardwired. So until y'all release a switch, I don't think that is an option for me.
I was hoping to avoid devices specific rules because I have quite a few devices that should communicate with this media server, but I understand why the network might not realize an outbound communication was invoked by a LAN device.
I'll dig in to the article you shared a configure it at the device level.Thank you for taking the time to reply.
-
kb I tried to duplicate your problem. I am not sure which direction you put the block on but this should work to allow traffic to my IoT network but not from it.
I made the following two rules:
Rule 1: Block everything
Action: Block
Matching: Traffic from & to All Local Networks
On: Network IoT
Rule 2: The Unidirectional Allow
Action: Allow
Matching: Traffic from All Local Networks (could be from a specific network as well)
On: Network IoT
- Device on another network was able to ping and do VNC connection to device on IoT.
- Device on the IoT network was not able to ping the devices on another network.
Both rules are at the same level, and the Allow rule matches the inbound traffic so it takes priority.
If you use from and to allow you will not get the unidirectional allow I think you are after. Both sides will be able to communicate.
You could also change the allow rule to be "more specific" e.g. on a device or Group rather than the Network level.
If this doesn't work, it may be something specific about the traffic you were passing that such as mDNS or SSDP which is actually not about the traffic about mostly more about discovery than the actual traffic or there was some other rule that was causing a conflict that the allow rule didn't overcome.
Please sign in to leave a comment.
Comments
5 comments