By default, the Meter Security Appliance blocks communication between VLANs. If this type of communication is needed - you can create Firewall rules to allow communication.
Inter-VLAN Communication
Inter-VLAN communication can be enabled or disabled under the Network-wide > VLANs section of the Dashboard.
VLANs
To block certain communications between VLANs after enabling inter-VLAN routing, or to only allow communication between certain hosts and/or certain port numbers, navigate to Firewall > Rules > VLANs. This is where more granular rules can be created.
To create a rule click the ‘Add VLAN firewall rule’ button. This will expand a new window in the Dashboard on the right-hand side with the following options:
Enabled - Toggle ON to enable the rule. Toggle OFF to disable the rule.
Name - The display name of the rule. Name it something meaningful to you.
Description - Describe what the rule does if needed.
VLANs - Select which VLANs the rule should apply to.
Action - Choose to Deny or Allow the traffic.
Protocols - TCP, UDP, or ICMP can be selected. Choose the protocol types required for your rule.
Source - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, or an entire VLAN. Port numbers can also be specified.
Destination - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, or an entire VLAN. Port numbers can also be specified.
As an example -
Let's say we enabled inter-VLAN routing between the guest and private network so guests can airplay to devices on the private network.
However - there is a host on the private network (10.103.0.20) that we need to ensure no user on the guest network can access. This rule would look like this:
This rule (applied to the guest VLAN) blocks access from the entire guest VLAN to the particular host (10.103.0.20 on the private VLAN). Once created, your rule will display on the list in the center of the page:
How to read the Firewall Rules List
Rules are matched to network traffic as it ingresses to the Meter Security Appliance. This means rules should be applied to the VLAN where the ingress traffic is expected to be on. Using the same example above - the deny to block Guest VLAN traffic to 10.103.0.20 is applied to the Guest VLAN. This is because packets that can match this rule would ingress from the Guest VLAN.
Along those lines - it is important to note that the Firewall on the Meter Security Appliance is considered a stateless firewall. This means that rules are read in order. The first one that matches the traffic will be applied.
There are also default rules that are created by enabling Inter-VLAN routing or DNS Security. To view the rules toggle the ‘Show default rules’ toggle to ON. Let's take a look at default rules from the same example above:
Rules created in the ‘VLANs’ section of the Rules tab are always read first, followed by rules created by Inter-VLAN routing, then any other default rules.
With this list expanded - you can see the Deny rule we created to block traffic from the guest network to 10.103.0.20 would be read first, blocking this traffic before reaching the Allow rule.
User-created rules can be re-ordered by using the up and down arrows next to the rule:
.
WANs
By default, the Meter Security Appliance will block all incoming traffic (from the internet) if the connection did not originate from within the LAN. In most cases, WAN firewall rules would only need to be used if you need to explicitly ALLOW traffic originating from the WAN side.
The menu for creation is identical for VLANs, however, the WAN interface must also be specified. The below example shows allowing port 500 UDP for IPsec from an upstream gateway applied to the WAN interface labeled ‘ISP’.
If you have questions or would like assistance please don’t hesitate to contact Meter Support.
Comments
0 comments
Please sign in to leave a comment.