VLAN Inter-Zone accessibility control configuration example: Difference between revisions
PauliusRug (talk | contribs) No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
<p style="color:red">The information in this page is updated in accordance with firmware version '''[https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads 00.07. | <p style="color:red">The information in this page is updated in accordance with firmware version '''[https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads 00.07.09.01]'''. | ||
==Introduction== | ==Introduction== | ||
| Line 5: | Line 5: | ||
In this example we will show how to manage VLAN to VLAN communication with either '''one''' firewall zone or '''multiple''' firewall zones. | In this example we will show how to manage VLAN to VLAN communication with either '''one''' firewall zone or '''multiple''' firewall zones. | ||
If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on '''"Advanced WebUI"''' mode. You can do that by clicking the '''" | If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on '''"Advanced WebUI"''' mode. You can do that by clicking the '''"Advanced"''' button which is located at the top-right corner of the WebUI. | ||
[[File: | [[File:Networking rutos manual webui basic advanced mode 75.gif|border|class=tlt-border|1004x1004px]] | ||
==Setting up VLANs== | ==Setting up VLANs== | ||
| Line 17: | Line 17: | ||
Created VLANs in the WebUI should look similar to this: | Created VLANs in the WebUI should look similar to this: | ||
[[File: | [[File:3vlansforintervlansv2.png|border|class=tlt-border]] | ||
==VLAN to VLAN communication with one firewall zone== | ==VLAN to VLAN communication with one firewall zone== | ||
| Line 29: | Line 29: | ||
[[File:Allowlan1tolan2pingoriginal.png|border|class=tlt-border|]] | [[File:Allowlan1tolan2pingoriginal.png|border|class=tlt-border|]] | ||
To disable VLAN to VLAN communication, navigate to '''Network -> Firewall -> General Settings'''. Press '''Edit''' on the '''LAN''' zone (lan -> wan) | To disable VLAN to VLAN communication, navigate to '''Network -> Firewall -> General Settings'''. Press '''Edit''' on the '''LAN''' zone (lan -> wan). | ||
[[File: | [[File:Lan zone edit.png|border|1100px|class=tlt-border|]] | ||
Click on '''Forward''' and select '''Drop or Reject'''. Make sure that all created VLANs are added in the Covered networks tab: | |||
[[File:Disablevlantovlandefaultv2.png|border|class=tlt-border|]] | |||
Now if we try to reach lan2 from lan, the devices are not able to communicate: | Now if we try to reach lan2 from lan, the devices are not able to communicate: | ||
| Line 43: | Line 47: | ||
[[File:3zonetopology.png|600px|border|class=tlt-border]] | [[File:3zonetopology.png|600px|border|class=tlt-border]] | ||
To start with, we will need to create new firewall zones: LAN1, LAN2 and LAN3. To add new zones, navigate to '''Network -> Firewall -> General Settings'''. In the Zones section, press | To start with, we will need to create new firewall zones: LAN1, LAN2 and LAN3. To add new zones, navigate to '''Network -> Firewall -> General Settings'''. In the Zones section, press [[File:Add Button.png|60x90px]] to add a new zone. | ||
[[File: | [[File:Addnewfwzone1v1.png|border|1100px|class=tlt-border|]] | ||
A new window will open, there configure the settings according to the points below and press [[File:Save & Apply.png|100x30px]].: | |||
<table class="nd-othertables_2"> | |||
<tr> | |||
<th width=400; style="border-bottom: 1px solid white;></th> | |||
<th width=600; style="border-bottom: 1px solid white"; rowspan=2>[[File:Lan1zonesettingsv2.png|border|class=tlt-border|right]]</th> | |||
</tr> | |||
<tr> | |||
<td style="border-bottom: 4px solid white> | |||
# Name: '''Enter desired name''' | |||
# Input: '''Accept''' | |||
# Output: '''Accept''' | |||
# Forward: '''Reject''' | |||
# Covered networks: '''lan''' | |||
</td> | |||
</tr> | |||
</table> | |||
'''Note''': By setting the Input and Output zones to '''Accept''' traffic is allowed to enter and leave the zone. '''Forward: Reject''' blocks communication between zones - this is a default policy. '''Inter-zone forwarding''' section can be used to modify the default behavior of the Forward zone and allow communication between zones. | '''Note''': By setting the Input and Output zones to '''Accept''' traffic is allowed to enter and leave the zone. '''Forward: Reject''' blocks communication between zones - this is a default policy. '''Inter-zone forwarding''' section can be used to modify the default behavior of the Forward zone and allow communication between zones. | ||
---- | |||
Follow the same steps to create Firewall Zones '''lan2''' and '''lan3'''. | |||
'''lan2''' zone settings: | |||
* Name: | * Name: '''Enter desired name''' | ||
* Input: Accept | * Input: '''Accept''' | ||
* Output: Accept | * Output: '''Accept''' | ||
* Forward: Reject | * Forward: '''Reject''' | ||
* Covered networks: lan2 | * Covered networks: '''lan2''' | ||
''' | '''lan3''' zone settings: | ||
* Name: | * Name: '''Enter desired name''' | ||
* Input: Accept | * Input: '''Accept''' | ||
* Output: Accept | * Output: '''Accept''' | ||
* Forward: Reject | * Forward: '''Reject''' | ||
* Covered networks: lan3 | * Covered networks: '''lan3''' | ||
Newly created firewall zones should look like this: | Newly created firewall zones should look like this: | ||
[[File: | [[File:Newlycreatedfirewallzonesv2.png|border|1100px|class=tlt-border|]] | ||
==Inter-zone forwarding use examples== | ==Inter-zone forwarding use examples== | ||
| Line 98: | Line 101: | ||
Example: '''lan1''' wants to communicate only with '''lan2''': | Example: '''lan1''' wants to communicate only with '''lan2''': | ||
<table class="nd-othertables_2"> | |||
* | <tr> | ||
<th width=400; style="border-bottom: 1px solid white;></th> | |||
<th width=600; style="border-bottom: 1px solid white"; rowspan=2>[[File:Interzoneforwarding.png|border|class=tlt-border|right]]</th> | |||
</tr> | |||
<tr> | |||
<td style="border-bottom: 4px solid white> | |||
'''lan1''' settings: | |||
* allow forward to destination zones: '''lan2''' | |||
* allow forward from source zones: '''lan2''' | |||
'''No need to change''' settings for the '''lan2''' zone | |||
</td> | |||
</tr> | |||
</table> | |||
If '''lan1''' to '''lan2''' communication is allowed, zone settings should look like this: | If '''lan1''' to '''lan2''' communication is allowed, zone settings should look like this: | ||
[[File: | [[File:Lan1tolan2.png|border|class=tlt-border|]] | ||
Testing the communication between '''lan1''' and '''lan2''': | Testing the communication between '''lan1''' and '''lan2''': | ||
| Line 117: | Line 131: | ||
To reach '''lan3''' from '''lan1''', edit '''lan3''' zone accordingly: | To reach '''lan3''' from '''lan1''', edit '''lan3''' zone accordingly: | ||
* allow forward to destination zones: lan1 | * allow forward to destination zones: '''lan1''' | ||
* allow forward from source zones: lan1 | * allow forward from source zones: '''lan1''' | ||
Zone settings after these changes should look like this: | Zone settings after these changes should look like this: | ||
[[File: | [[File:Zonesfterchanges.png|border|class=tlt-border|]] | ||
Now the communication between '''lan1''' and '''lan3''' works: | Now the communication between '''lan1''' and '''lan3''' works: | ||