Confusion Regarding Inter-vlan routing, can you please clarify documentation or my mistake?

Comments

8 comments

  • Avatar
    Michael Bierman

    PBR is for sending traffic through a specific WAN interface. That doesn’t seem to apply here. 

    You also don’t need VPN. 

    if i understand what you are doing, you want to manage your VLAN2 devices from VLAN1. Presumably you don’t want VLAN2 or have access to VLAN1. So simply make a rule that BLOCKS access to VLAN1 from all local networks. Then make a rule that allows traffic from VLAN1 to VLAN2. 

    1
    Comment actions Permalink
  • Avatar
    Dave Taylor

    Also be aware that the Firewalla default for VLAN traffic is default-allow so you need to explicitly block it first before adding additional rules.

    As an aside, the current default seems like a bad idea, if you've partitioned traffic into different VLANs then it seems the default should be to not route traffic between them as default-allow defeats the whole point of having VLANs in the first place.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Good callout Dave.

    I don't know if I agree with your second point. There are many instances where one might allow traffic from one VLAN to another, but not vice versa. Now add a couple of VLANs... does it make sense to assume no traffic, either way on all of VLANs? Certainly, one can't assume one direction or another. Also, it could frustrate a lot of users because all of the sudden a device they are trying to set up isn't working. 

    I think in this case, making the user make a conscious choice makes sense. I don't think it is possible to guess correctly more than ⅓ of the time. 

    0
    Comment actions Permalink
  • Avatar
    Dave Taylor

    Maybe add an additional question when creating a VLAN asking the user whether they want to make it private (no default routing to/from) or public (default routing to/from)?  It certainly came as a surprise to me to be able to send traffic from one VLAN to another when I first set them up.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    What kind of policies will want to default on VLANs?

    1. block LAN traffic to and from

    2. block LAN traffic to but not from

    3. block LAN traffic from it but not to it

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Totally forgot we have this already 

    0
    Comment actions Permalink
  • Avatar
    Dave Taylor

    What kind of policies will want to default on VLANs?

    What I'm used to from switches is that VLANs are logically isolated, so you need to either set up explicit inter-VLAN routing via the switch or do it via an external router.  Getting VLANs that auto-routed traffic to other VLANs came as a surprise, since it defeated the the logical isolation provided by the VLAN.

    If there has to be a single default, I'd say #1, block traffic to other (V)LANs unless explicitly enabled.  Or add the additional step of asking whether it should be a private or public VLAN as part of the setup, private = isolated from other VLANs, public = routed to other VLANs.

    0
    Comment actions Permalink
  • Avatar
    Dave Taylor

    Totally forgot we have this already 

    That's... not the best UI for it.  It doesn't mention VLANs (I thought it was just for a port on a FWG, and never understood why you'd need the Firewalla at all when it was just an isolated network on its own switch).  Same with Guest Network, it doesn't mention VLANs so I assumed you could designate one port on a FWG for that purpose, e.g. via an AP plugged into it for guest use.

    0
    Comment actions Permalink

Please sign in to leave a comment.