DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860ac shared resources across multiple VLANs Firewall Rules

  • peterdc
  • Topic Author
  • User
  • User
More
31 Aug 2015 10:57 #1 by peterdc
2860ac shared resources across multiple VLANs Firewall Rules was created by peterdc
Hi,

I've set my Vigor 2860ac (FW 3.7.8.3) to have a number of different port-based VLANs thus:

(Port 1/VLAN 1) 10.2.2.0 - Company A
(Port 2/VLAN 2) 10.3.3.0 - Company B
(Port 3/VLAN 3) 10.5.5.0 - Shared Resources

Company A and Company B must remain separate are they are two completely different entities sharing the broadband connection.

I've got a network printer with IP address 10.5.5.5 on Port/VLAN 3 that both companies need access to. This is the only IP address that either company networks need to access and I'd like it to be one way only, there's no need for anything on the 10.5.5.0 network to access anything on either of the two company networks.

At the moment, due to my ignorance, I've enabled inter-LAN routing (VLANs 1/3 and VLANs 2/3).

This is less than desirable and would like to remove the inter-LAN routing settings in favour of a more secure setup.

Do I need to setup a static route from VLAN 1 and VLAN 2 to 10.5.5.5 and/or create some firewall rules to allow this? If so, what would the settings be please? I've exhausted my abilities with trying things I've found on Google and nothing I try takes in the Draytek, so I must be doing things wrong. I'm now thinking that a static route won't help because, by definition, that's only for traffic travelling over the WAN port?

So I think my best bet is to leave the inter-LAN routing settings intact and use Firewall rules to block all access from both company LANs to the 10.5.5.0 network but then another to allow access to only 10.5.5.5 and then rules to block all access from 10.5.5.0 to both of the company LANs.

Because there's nothing else on the 10.5.5.0 network at the moment, I'm trying Firewall rules to block access to the 10.5.5.0 network from the 10.2.2.0 network but whatever I do I can still access the printer. My hope was to get this working then reverse the logic a bit. Does enabling inter-LAN routing take priority over my Firewall rules? If so, maybe I need to remove the inter-LAN routing option but then add a Firewall rule that allows access from each company LAN to 10.5.5.5?

Any help will be gratefully received.

Thank you.

Please Log in or Create an account to join the conversation.

  • peterdc
  • Topic Author
  • User
  • User
More
31 Aug 2015 15:24 #2 by peterdc
Replied by peterdc on topic Re: 2860ac shared resources across multiple VLANs Firewall R
I've finally worked it out.

Enable inter-LAN routing, then two simple Firewall rules to block 10.5.5.0 from accessing 10.2.2.0 and 10.3.3.0.

What I wasn't doing was setting 'Next Filter Set' in the last filter set so that the default data filter follows onto my new filter set.

Phew!

Please Log in or Create an account to join the conversation.