569
edits
Changes
VLAN Inter-Zone accessibility control configuration example (view source)
Revision as of 14:42, 2 August 2023
, 14:42, 2 August 2023no edit summary
<p style="color:red">The information in this page is updated in accordance with firmware version '''[https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads 00.07.03]'''.
==Introduction==
==Introduction==
Created VLANs in the WebUI should look similar to this:
Created VLANs in the WebUI should look similar to this:
[[File:3vlansforintervlan.png|border|class=tlt-border|]]
[[File:3vlansforintervlans.png|border|class=tlt-border]]
==VLAN to VLAN communication with one firewall zone==
==VLAN to VLAN communication with one firewall zone==
Once VLANs are created - they lay under one firewall zone, here is a Topology of the network and the zone which covers all 3 of VLANs:
[[File:Topo one zone vlans.jpg|600px|border|class=tlt-border]]
Initially, when we create VLAN interfaces, all VLANs are able to communicate with each other, for example pinging from lan to lan2:
Initially, when we create VLAN interfaces, all VLANs are able to communicate with each other, for example pinging from lan to lan2:
==VLAN to VLAN communication with inter-zone forwarding==
==VLAN to VLAN communication with inter-zone forwarding==
In order to get more control over VLANs, an '''inter-zone''' forwarding functionality should be used. To start with, we will need to create new firewall zones: LAN1, LAN2 and LAN3. To add new zones, navigate to '''Network -> Firewall -> General Settings'''. In the Zones section, press ADD button to add a new zone.
In order to get more control over VLANs, an '''inter-zone''' forwarding functionality should be used. Here is a network topology with firewall zones and an explanation.
[[File:3zonetopology.png|600px|border|class=tlt-border]]
To start with, we will need to create new firewall zones: LAN1, LAN2 and LAN3. To add new zones, navigate to '''Network -> Firewall -> General Settings'''. In the Zones section, press ADD button to add a new zone.
[[File:Addnewfwzone1.png|border|1000px|class=tlt-border|]]
[[File:Addnewfwzone1.png|border|1000px|class=tlt-border|]]
* Forward: Reject
* Forward: Reject
* Covered networks: lan
* Covered networks: lan
'''Note''': By setting the Input and Output zones to '''Accept''' traffic is allowed to enter and leave the zone. '''Forward: Reject''' blocks communication between zones - this is a default policy. '''Inter-zone forwarding''' section can be used to modify the default behavior of the Forward zone and allow communication between zones.
[[File:Lan1zonesettings.png|border|class=tlt-border|]]
[[File:Lan1zonesettings.png|border|class=tlt-border|]]
----
----
Follow these steps to create Firewall Zones lan2 and lan3. Lan2 zone settings:
Follow the same steps to create Firewall Zones '''lan2''' and '''lan3'''. '''Lan2''' zone settings:
* Name: lan2
* Name: lan2
* Covered networks: lan2
* Covered networks: lan2
Lan3 zone settings:
'''Lan3''' zone settings:
* Name: lan3
* Name: lan3
[[File:Newlycreatedfirewallzones.png|border|1000px|class=tlt-border|]]
[[File:Newlycreatedfirewallzones.png|border|1000px|class=tlt-border|]]
Now, to attach these zones to the corresponding interfaces, we need to go back to the Network Interfaces tab ('''Network -> Interfaces -> General'''). Click edit on the lan zone and navigate to Firewall settings. In Create / Assign firewall-zone section, select lan1:
----
Now, to attach these zones to the corresponding interfaces, we need to go back to the Network Interfaces tab ('''Network -> Interfaces -> General'''). Click edit on the lan interface and navigate to Firewall settings. In Create / Assign firewall-zone section, select lan1:
[[File:Interfacesfireewallsettings.png|border|class=tlt-border|]]
[[File:Interfacesfireewallsettings.png|border|class=tlt-border|]]
----
----
Example: lan1 wants to communicate only with lan2:
Example: '''lan1''' wants to communicate only with '''lan2''':
* lan1 settings: allow forward to destination zones: lan2
* lan1 settings: allow forward to destination zones: lan2
* lan1 settings: allow forward from source zones: lan2
* lan1 settings: allow forward from source zones: lan2
* No need to change settings for the lan2 zone
* No need to change settings for the lan2 zone
If lan1 to lan2 communication is allowed, zone settings should look like this:
If '''lan1''' to '''lan2''' communication is allowed, zone settings should look like this:
[[File:2022-12-14 12-52 lan1 and lan2.png|border|class=tlt-border|]]
[[File:2022-12-14 12-52 lan1 and lan2.png|border|class=tlt-border|]]
Testing the communication between lan1 and lan2:
Testing the communication between '''lan1''' and '''lan2''':
[[File:2022-12-14 12-54 pings work.png|border|class=tlt-border|]]
[[File:2022-12-14 12-54 pings work.png|border|class=tlt-border|]]
----
----
If we try to reach lan3 from lan1, where the forwarding is not set, the result would be this:
If we try to reach '''lan3''' from '''lan1''', where the forwarding is not set, the result would be this:
[[File:2022-12-14 12-56 pings not work.png|border|class=tlt-border|]]
[[File:2022-12-14 12-56 pings not work.png|border|class=tlt-border|]]
To reach lan3 from lan1, edit lan3 zone accordingly:
To reach '''lan3''' from '''lan1''', edit '''lan3''' zone accordingly:
* allow forward to destination zones: lan1
* allow forward to destination zones: lan1
* allow forward from source zones: lan1
* allow forward from source zones: lan1
[[File:2022-12-14 12-57 zones after changes.png|border|class=tlt-border|]]
[[File:2022-12-14 12-57 zones after changes.png|border|class=tlt-border|]]
Now the communication between lan1 and lan3 works:
Now the communication between '''lan1''' and '''lan3''' works:
[[File:2022-12-14 12-59 pings go.png|border|class=tlt-border|]]
[[File:2022-12-14 12-59 pings go.png|border|class=tlt-border|]]
Using these examples as a base, you can allow / reject VLAN to VLAN communication between different VLANs according to your needs.
[[Category:Router control and monitoring]]
