Prevent routing between VLAN’s

[unsichtbare]

I have setup Zeroshell with several VLAN’s on one NIC and would like to prevent routing between one or more of the VLAN’s. Here is my setup:

ETH00   1000Mb/s Full Duplex

Intel Corporation 82546EB Gigabit Ethernet Controller (Copper) (rev 01)



VLAN: none

2: ETH00:  mtu 1500 qdisc htb qlen 1000

inet 192.168.5.1/24 brd 192.168.5.255

RX: bytes  packets  errors  dropped overrun mcast

571644886  670641   0       0       0       492

TX: bytes  packets  errors  dropped carrier collsns

347233957  596027   0       0       0       0

Throughput:  RX 573.05 Kbit/s      TX 36.21 Kbit/s



VLAN: 10

9: ETH00.10@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.10.1/24 brd 192.168.10.255

RX: bytes  packets  errors  dropped overrun mcast

93676406   127799   0       0       0       108

TX: bytes  packets  errors  dropped carrier collsns

67377485   113771   0       0       0       0

Throughput:  RX 128 bit/s      TX 280 bit/s



VLAN: 20

11: ETH00.20@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.20.1/24 brd 192.168.20.255

RX: bytes  packets  errors  dropped overrun mcast

5688678    41139    0       0       0       107

TX: bytes  packets  errors  dropped carrier collsns

27815198   36688    0       0       0       0

Throughput:  RX 117 bit/s      TX 0 bit/s



VLAN: 30

12: ETH00.30@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.30.1/24 brd 192.168.30.255

RX: bytes  packets  errors  dropped overrun mcast

0          0        0       0       0       0

TX: bytes  packets  errors  dropped carrier collsns

0          0        0       0       0       0

Throughput:  RX 0 bit/s      TX 0 bit/s



VLAN: 55

13: ETH00.55@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.55.1/24 brd 192.168.55.255

RX: bytes  packets  errors  dropped overrun mcast

161388840  142330   0       0       0       0

TX: bytes  packets  errors  dropped carrier collsns

8455443    86953    0       0       0       0

Throughput:  RX 0 bit/s      TX 0 bit/s



VLAN: 99

14: ETH00.99@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.99.1/24 brd 192.168.99.255

RX: bytes  packets  errors  dropped overrun mcast

726355     1259     0       0       0       108

TX: bytes  packets  errors  dropped carrier collsns

208459     865      0       0       0       0

Throughput:  RX 0 bit/s      TX 0 bit/s



VLAN: 2020

16: ETH00.2020@ETH00:  mtu 1500 qdisc noqueue

inet 192.168.0.1/24 brd 192.168.0.255

RX: bytes  packets  errors  dropped overrun mcast

3783688    20925    0       0       0       62

TX: bytes  packets  errors  dropped carrier collsns

27661957   26833    0       0       0       0

Throughput:  RX 61 bit/s      TX 56 bit/s

Right now any vlan can communicate with any other. I would like to prevent VLAN 10 from communicating with any other VLAN.

-J

[vpn_rollercoaster]

Create a firewall rule to block access to those subnets.

[ppalias]

… on the FORWARD chain.
Create a rule that drops traffic coming from source network of vlan 10 to the destination network of the other vlans.

[sodmetaldream]

@unsichtbare wrote:

I have setup Zeroshell with several VLAN’s on one
Right now any vlan can communicate with any other. I would like to prevent VLAN 10 from communicating with any other VLAN.

-J

I have this setup and one of my vlans has free internet access but cannot talk to another conected network.
One simple rule saying routed/bridged from interface vlanXX not going to interface Internet all services drop.

Plain and simple. Consider using negated items in the rule to make the ruleset as simple as it can be. The obvius advantage is that the above mentioned rule is still valid even if more vlans and networks are added later and it does not break security.

Yours.

[Author]

Posts