Confusion Regarding Inter-vlan routing, can you please clarify documentation or my mistake?

Follow

DJ

• March 26, 2022 22:36
• Edited

I have two networks, lets call them:

Network A (N-A): 10.0.1.0/24, LAN1, 
Network B (N-B): 10.0.2.0/24, LAN2

N-A is my private network and N-B is a Server VLAN exposed to the internet, both networks run off their own physical interface and switch on the firewalla device.

SCENARIO: I am configuring inter-vlan routing so that I can locally manage my servers without having to VPN in to that network from the outside. However, when I review the documentation for configuring routing (https://help.firewalla.com/hc/en-us/articles/360061592433-Firewalla-Policy-Content-Based-Routing) I think there is either something I don't understand or the documentation might need to be updated. 

Per the explanation video, It states the "interface" in the config dialog is the interface you are sending the traffic TO, so I configured something like:

MATCHING: IP - 10.0.2.2:22 
ON: All Devices
INTERFACE: LAN2
NEXT HOP: 10.0.2.1 (the gateway of my server VLAN)

I Believe this should have worked because the video states the "interface" when configuring a route should be the interface you are sending traffic TO. So If I am on a machine from LAN 1, interface 1 using IP address 10.0.1.2/24 and I want to access a server on LAN2, interface 2 using IP address 10.0.2.2/24 that traffic should go TO both the interface for the 10.0.2.0/24 network and the gateway for that network 10.0.2.1 where my server would be found and everything should be good.

 

but that didn't work. What worked was configuring:

MATCHING: IP- 10.0.2.2:22 
ON: All Devices
INTERFACE: LAN1
NEXT HOP: 10.0.2.1 (the gateway of my server VLAN)

Now, this kinda makes sense because I could interpret this as "Send requests from all devices on LAN1 for 10.0.2.2:22 to 10.0.2.1 (the gateway of my server vlan)" but if that is the correct interpretation then the documentation could be wrong because in that case the TO becomes a FROM. If that interpretation is incorrect, then I'm not sure what I might be missing. 

fwiw: I'm an IT professional breaking into networking and have a knowledge level around a Network+ (vs CCIE, CCNA etc) so I'm very open to the idea there is something I don't understand here. 

Any insight would be much appreciated.

0

• 

  Michael Bierman

  • March 26, 2022 22:39

  PBR is for sending traffic through a specific WAN interface. That doesn’t seem to apply here. 
  
  You also don’t need VPN. 

  if i understand what you are doing, you want to manage your VLAN2 devices from VLAN1. Presumably you don’t want VLAN2 or have access to VLAN1. So simply make a rule that BLOCKS access to VLAN1 from all local networks. Then make a rule that allows traffic from VLAN1 to VLAN2. 

  1

  Comment actions Permalink
• 

  Dave Taylor

  • April 07, 2022 08:51

  Also be aware that the Firewalla default for VLAN traffic is default-allow so you need to explicitly block it first before adding additional rules.

  As an aside, the current default seems like a bad idea, if you've partitioned traffic into different VLANs then it seems the default should be to not route traffic between them as default-allow defeats the whole point of having VLANs in the first place.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • April 07, 2022 09:05

  Good callout Dave.
  
  I don't know if I agree with your second point. There are many instances where one might allow traffic from one VLAN to another, but not vice versa. Now add a couple of VLANs... does it make sense to assume no traffic, either way on all of VLANs? Certainly, one can't assume one direction or another. Also, it could frustrate a lot of users because all of the sudden a device they are trying to set up isn't working. 
  
  I think in this case, making the user make a conscious choice makes sense. I don't think it is possible to guess correctly more than ⅓ of the time. 

  0

  Comment actions Permalink
• 

  Dave Taylor

  • April 07, 2022 09:10

  Maybe add an additional question when creating a VLAN asking the user whether they want to make it private (no default routing to/from) or public (default routing to/from)?  It certainly came as a surprise to me to be able to send traffic from one VLAN to another when I first set them up.

  0

  Comment actions Permalink
• 

  Firewalla

  • April 07, 2022 16:15

  What kind of policies will want to default on VLANs?

  1. block LAN traffic to and from

  2. block LAN traffic to but not from

  3. block LAN traffic from it but not to it

  0

  Comment actions Permalink
• 

  Firewalla

  • April 08, 2022 03:18

  Totally forgot we have this already 

  

  0

  Comment actions Permalink
• 

  Dave Taylor

  • April 08, 2022 06:15

  What kind of policies will want to default on VLANs?

  What I'm used to from switches is that VLANs are logically isolated, so you need to either set up explicit inter-VLAN routing via the switch or do it via an external router.  Getting VLANs that auto-routed traffic to other VLANs came as a surprise, since it defeated the the logical isolation provided by the VLAN.

  If there has to be a single default, I'd say #1, block traffic to other (V)LANs unless explicitly enabled.  Or add the additional step of asking whether it should be a private or public VLAN as part of the setup, private = isolated from other VLANs, public = routed to other VLANs.

  0

  Comment actions Permalink
• 

  Dave Taylor

  • April 08, 2022 06:21

  Totally forgot we have this already 

  That's... not the best UI for it.  It doesn't mention VLANs (I thought it was just for a port on a FWG, and never understood why you'd need the Firewalla at all when it was just an isolated network on its own switch).  Same with Guest Network, it doesn't mention VLANs so I assumed you could designate one port on a FWG for that purpose, e.g. via an AP plugged into it for guest use.

  0

  Comment actions Permalink

Please sign in to leave a comment.