Is it possible to filter packets using a security policy based on intervlan communication? For instance, I want to implement a policy that vlan 1 can establish outgoing connections to vlan2 and vlan2 only allows responses that originated from vlan 1.
Is this even possible? Do I have to create rules based on source and destination IP address?
I do not see in the documentation how to do either of those tasks.
Inter VLAN Routing Enable Inter VLAN Routing: When enabled, traffic is forwarded between this VLAN's and other VLANs configured with a different subnet. This option should be enabled on all VLANs where inter-VLAN communication is required.
I have inter-vlan routing working, the vlans can communicate to each other; that is not the issue. The issue is there is too much communication. I want to restrict vlan 2 from communicating to vlan 1 with policies so only some traffic may pass and other traffic may not.
you need to reply switch to work with exist VLAN on ID but layer switches will have more in-depth settings
We have layer-3 switches with VLAN capability, they are also NetGear units. However since they are layer 3 they do not provide IP level filtering. This is why we bought a firewall/router device.
I'm amazed the firewall/router can't do this. It's extremely unfortunate and nearly deceptive.
Which firwmare are you using?
Do you have a VLAN Rules section under Network Security(or Firewall-not sure how it's labeled on the 5308)(it's where the rest of Rules are setup)?
VLAN Rules Firewall rules for traffic between the source VLAN and the destination VLAN can be defined on this screen. NOTE: VLAN firewall rules takes precedence over "Enable Inter VLAN Routing" option available in Add/Edit VLAN Settings page. That is, while configuring VLAN if inter VLAN routing is disabled and user adds explicitly a rule to allow some services in between two VLANs, Those services will be allowed. VLAN Services This table lists the existing rules for traffic. A rule is defined by the following fields: ! (Status): A rule can be disabled if not in use and enabled as needed. A rule is disabled if the status light is gray and it is enabled if the status light is green. Disabling a rule does not delete the configuration, but merely deactivates the rule. Service Name: This is a unique name assigned to the service. The name usually indicates the type of traffic the rule covers such FTP, SSH, Telnet, ping, and so on. Services not already on the list can be added on the Services screen (select Network Security > Services). Filter: Defines an action to be taken on the enabled rule. It can be: Block Always: Block the selected service at all times. Allow Always: Allow the selected service to pass through at all times.
Source VLAN Users: Specifies whether one or more source VLAN IP addresses are affected by this rule. The rule affects packets for the selected service coming from the source IP address or range of IP addresses in this field. Any: All IP addresses on the source VLAN are included in the rule. Single Address: When selected this option, a single address displays in this field that gets affected by the rule. Address Range: When selected this option, a range of addresses from START address to END address displays in this field that are affected by the rule.
Destination VLAN Users: Specifies whether one or more destination VLAN IP addresses are affected by this rule. The rule affects packets for the selected service sent to the destination IP address or range of IP addresses in this field. Any: All IP addresses on the Destination VLAN will be affected by the rule. Single Address: A single VLAN IP address will be affected by the rule. Address Range: A range of IP addresses on the Destination VLAN will be affected by the rule.
Log: Specifies whether the packets for this rule should be logged or not. To log details for all packets that match this rule, select Always. Select Never to disable logging. For example, if a VLAN rule is selected as Block Always, then for every packet that tries to make connection for that service, a message with the packet's source address and destination address (and other information) will be recorded in the log. Enabling logging may generate a significant volume of log messages and is recommended for debugging purposes only. The actions that can be taken on rules are: Edit: Modifies the configuration of the selected rule. Select All: Selects all the rules in the table. Delete: Delete the selected rule or rules. Enable: Enables the selected rule or rules listed in the table. Disable: Disables the selected rule or rules listed in the table. Add: Adds a new rule.
Do you have a VLAN Rules section under Network Security(or Firewall-not sure how it's labeled on the 5308)(it's where the rest of Rules are setup)?
Thanks for your pointer. I didn't see anything like that, here's a screen shot of what I've got under the 'Security' top level menu: http://i.imgur.com/bQDAa.png
Here is the firmware version info:
Firmware Version (Primary): 3.0.7-45 Firmware Version (Secondary): 3.0.7-24
Contact Tech Support and tell them your issue and you need beta firmware 3.0.7-61. You can reference this post.
They should be able to get you a copy of that firmware.
I think it will have the VLAN Rules capability.
