I have been reading for the past couple days about VLANs and firewalls. I am trying to get 3 areas setup on my network - LAN, Guest, and DMZ, All of my personal devices will be on the LAN and I want no traffic from the Guest and DMZ areas to enter the LAN. The Guest (VLAN 20) and DMZ (VLAN 10) areas are going to have internet access and be able to communicate within their own respective area but nowhere else.
Here is the CLI code to allow all Established/Related traffic to enter the router unless the destination address is on the "LAN" or "Guest" networks
set firewall name PROTECT_DMZ_IN set firewall name PROTECT_DMZ_IN default-action accept set firewall name PROTECT_DMZ_IN rule 10 action accept set firewall name PROTECT_DMZ_IN rule 10 description "Accept Established/Related" set firewall name PROTECT_DMZ_IN rule 10 protocol all set firewall name PROTECT_DMZ_IN rule 10 state established enable set firewall name PROTECT_DMZ_IN rule 10 state related enable set firewall name PROTECT_DMZ_IN rule 20 action drop set firewall name PROTECT_DMZ_IN rule 20 description "Drop LAN" set firewall name PROTECT_DMZ_IN rule 20 destination name network-name LAN set firewall name PROTECT_DMZ_IN rule 20 protocol all set firewall name PROTECT_DMZ_IN rule 30 action drop set firewall name PROTECT_DMZ_IN rule 30 description "Drop Guest" set firewall name PROTECT_DMZ_IN rule 30 destination name network-name Guest set firewall name PROTECT_DMZ_IN rule 30 protocol all
Here is the CLI code to allow all Established/Related traffic to enter the router unless the destination address is on the "LAN" or "DMZ" networks
set firewall name PROTECT_Guest_IN set firewall name PROTECT_Guest_IN default-action accept set firewall name PROTECT_Guest_IN rule 10 action accept set firewall name PROTECT_Guest_IN rule 10 description "Accept Established/Related" set firewall name PROTECT_Guest_IN rule 10 protocol all set firewall name PROTECT_Guest_IN rule 10 state established enable set firewall name PROTECT_Guest_IN rule 10 state related enable set firewall name PROTECT_Guest_IN rule 20 action drop set firewall name PROTECT_Guest_IN rule 20 description "Drop LAN" set firewall name PROTECT_Guest_IN rule 20 destination name network-name LAN set firewall name PROTECT_Guest_IN rule 20 protocol all set firewall name PROTECT_Guest_IN rule 30 action drop set firewall name PROTECT_Guest_IN rule 30 description "Drop DMZ" set firewall name PROTECT_Guest_IN rule 30 destination name network-name DMZ set firewall name PROTECT_Guest_IN rule 30 protocol all
Here is the CLI code to only allow DNS and DHCP traffic
set firewall name PROTECT_LOCAL set firewall name PROTECT_LOCAL default-action drop set firewall name PROTECT_LOCAL rule 10 action accept set firewall name PROTECT_LOCAL rule 10 description "Accept DNS" set firewall name PROTECT_LOCAL rule 10 destination port 53 set firewall name PROTECT_LOCAL rule 10 protocol udp set firewall name PROTECT_LOCAL rule 20 action accept set firewall name PROTECT_LOCAL rule 20 description "Accept DHCP" set firewall name PROTECT_LOCAL rule 20 destination port 67 set firewall name PROTECT_LOCAL rule 20 protocol udp
Here is the CLI code the apply the firewall rulsets to the DMZ and Guest interfaces
set interfaces switch switch0 vif 10 firewall in name PROTECT_DMZ_IN set interfaces switch switch0 vif 10 firewall local name PROTECT_LOCAL set interfaces switch switch0 vif 20 firewall in name PROTECT_Guest_IN set interfaces switch switch0 vif 20 firewall local name PROTECT_LOCAL
Looking for feedback if I have done this correctly or ways to do this better.