Who can use this Feature?

• Partner
• Company/Network Admins with Write access
• Meter Support

Inter-VLAN Communication

Inter-VLAN communication can be enabled or disabled under the Network-wide > VLANs section of the Dashboard.

Rules

To block certain communications between VLANs after enabling inter-VLAN routing, or to only allow communication between certain hosts and/or certain port numbers, navigate to Firewall > ACLs > Rules. This is where more granular rules can be created.

To create a rule click the ‘Add ACL rule’ button. This will expand a new window in the Dashboard on the right-hand side with the following options:

• Enabled - Toggle ON to enable the rule. Toggle OFF to disable the rule.
• Name - The display name of the rule. Name it something meaningful to you.
• Description - Describe what the rule does if needed.
• VLANs - Select which VLANs the rule should apply to.
• Action - Choose to Deny or Allow the traffic.
• Protocols - TCP, UDP, or ICMP can be selected. Choose the protocol types required for your rule.
• Source - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, or an entire VLAN. Port numbers can also be specified.
• Destination - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, or an entire VLAN. Port numbers can also be specified.

As an example -
Let's say we enabled inter-VLAN routing between the guest and private network so guests can airplay to devices on the private network.

However - there is a host on the private network (10.103.0.20) that we need to ensure no user on the guest network can access. This rule would look like this:

This rule (applied to the guest VLAN) blocks access from the entire guest VLAN to the particular host (10.103.0.20 on the private VLAN). Once created, your rule will display on the list in the center of the page:

How to read the Firewall Rules List

Rules are matched to network traffic as it ingresses to the Meter Security Appliance. This means rules should be applied to the VLAN where the ingress traffic is expected to be on. Using the same example above - the deny to block Guest VLAN traffic to 10.103.0.20 is applied to the Guest VLAN. This is because packets that can match this rule would ingress from the Guest VLAN.

Along those lines - it is important to note that the Firewall on the Meter Security Appliance is considered a stateless firewall. This means that rules are read in order. The first one that matches the traffic will be applied. 

There are also default rules that are created by enabling Inter-VLAN routing or DNS Security. To view the rules toggle the ‘Show default rules’ toggle to ON. Let's take a look at default rules from the same example above:

Rules created in the ‘Rules’ tab are always read first, followed by rules created by Inter-VLAN routing, and then any other default rules.

With this list expanded - you can see the Deny rule we created to block traffic from the guest network to 10.103.0.20 would be read first, blocking this traffic before reaching the Allow rule.

User-created rules can be re-ordered by using the up and down arrows next to the rule: 

If you have any questions about ACL Rules or need further assistance, feel free to contact Meter Support at support@meter.com or submit a ticket at meter.com/support.