Hello,
I am running into a odd problem I am not sure how to solve when isolating subnets using zone policies on my ER-X. I have created 3 vlans, a main network, a management network and a guest network. The management network is VLAN 100 on the 192.168.100.0/24 subnet and the guest network is on VLAN 20 and the 192.168.20.0/24 subnet.
I have eth 1-4 as part of switch 0, and eth0 connected to the internet. swith0.20 has an address of 192.168.20.1 and swith0.100 has an address of 192.168.100.1.
The issue I am running into is that while I am connected to the guest network I am able to 192.168.20.1, which makes sense. But I am also able to ping 192.168.100.1. This makes sense to me because it is also technically local, but this is not the result I am looking for. Since 192.168.100.1 is on a different subnet, I would not want to be able to ping it.
Below are my configurations for my local zone and the offending firewall rules.
zone local {
default-action drop
from guest {
firewall {
name guest-local
}
}
from house {
firewall {
name lan-local
}
}
from management {
firewall {
name management-local
}
}
local-zone
} default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol icmp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}I attempted to add in another rule to drop all connections to the 192.168.0.0/16 subnet, but this caused me to be unable to ping 192.168.20.1. I thought of creating a network group that contained all of the 192.168.0.0/16 subnet except the 192.168.20.1/24, but this seemed messy to implement and I figure that has to be a cleaner method to do this.
This issue exists for the main network as well, but I figure once I find a solution between these two VLANS I can simply transfer it over for the remaining rule sets.