I have a smaller setup almost doing the same. One option is to do the follwing. **ORDER IS IMPORTANT IN EACH INDIVIDUAL RULE TREE** I've made a little more detailed of isolation, in the event isolation needs changed in the future. All That would be needed is a swap from drop to allow.
Standard firewall rules for internet.
Create a rule set for each vlan, (VLANXX-IN). Default allow. Apply to their respective interface.
((Allow will start by allowing all connections to any address (needed for internet access), but the rules below will filter it down.)) **
Add the following rules to each respective vlan: (((ADDRESSES refers to the address block associated to that vlan (10.0.xx.0/24)))
VLAN10-IN
1--Allow all ESTABLISHED, source vlan 10, destination vlan 20 ADDRESSES.
2--Allow all ESTABLISHED, source vlan 10, destination vlan 30 ADDRESSES. ((These will allow communications that have been established from the other specific vlan.))
3--Drop all NEW&INVALID, source vlan 10, destination vlan 20 ADDRESSES.
4--Drop all NEW&INVALID, source vlan 10, destination vlan 30 ADDRESSES. ((These drops will prevent VLAN 10 from initiating comms to one-way vlans.))
5-7--Drop all NEW, INVALID, ESTABLISHED, source vlan 10, destination **default, vlan 40, vlan 50** ADDRESSES. ((**be sure to add only one destination per rule.))
For VLAN20-in and VLAN30-IN,
1-- Allow all NEW,RELATED destination VLAN10 ADDRESSES.
2-5--Drop all NEW,INVALID,ESTABLISHED,RELATED, source vlan (20/30, whichever you're working on), destination **default, vlan 40, vlan 50, vlan (20/30, whichever you are NOT working on) ADDRESSES
For all other vlans,
1-6--Drop all NEW,INVALID,ESTABLISHED,RELATED, destination **default,vlan 10, vlan 20, vlan 30, vlan 40, vlan 50 ADDRESSES
For router access (DO THIS LAST, AND MAKE SURE YOU HAVE A BACKUP PORT IN CASE IT DOESN'T WORK. ALSO MAKE SURE YOU ARE IN THE ALLOWED VLAN WHILE CONFIGURING)
LAN-LOCAL, Drop default. (( Apply to ALL interfaces, vlan or otherwise, that you wish to block router config access. Refer to caps text directly above this. ))
Rules:
1--Drop INVALID all
2--Allow all, NEW,ESTABLISHED,RELATED, source VLAN10 ADDRESSES
3--Allow ESTABLISHED
