Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
Hi everyone,
I install Omada controller that manage one ER605, one TL-SG2008P and one EAP245.
I create two different LAN, the first is my work lan (LAN1) and the second is for guest(LAN2). At this moment the guest lan is assigned only at one port of the switch.
I and I want to permit traffic between LAN1 and LAN2 but drop from LAN2 to LAN1.
I create a switch ACL rule like this: (LAN1 is Lan_casa, and LAN2 is LAN_alloggio)
But it block traffic from LAN1 to LAN2 and also from LAN2 to LAN1; where is the error??
Thank for reply.....
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Can I ask what you are looking to achieve with this blocking? Is this for a specific piece of software?
The reason I ask is blocking traffic from LAN 2 to LAN 1 could cause traffic issues, as traffic is unable to reply to the sender to indicate that it has received the packet correctly. This will really only work for UDP traffic where there is no requirement for acknowledgement to be sent.
For example, PING would fail from LAN 1 to LAN 2, even though LAN 1 will send the packet to LAN 2.. LAN 2 cannot reply therefore PING will fail. Could this be the issue you are experiencing?
You may need to open specific ports to allow whatever app you require to actually send from LAN 2 to LAN 1, and obviously block everything else.
- Copy Link
- Report Inappropriate Content
HI,
I want to block traffic between lan as one is for guests and one is for me, I want guests to browse but not see my network. The tests I did by pinging between one lan and another; in fact if I remove ICMP from blocked protocols or add a rule that allows ICMP everything works.
On other devices added it doesn't work like that, the return rule works automatically ... that's why I didn't understand.
Take this opportunity to ask if in addition to the protocols present it is possible to activate some custom ones? For example, I would need to grant traffic on port 8291
Thanks....
- Copy Link
- Report Inappropriate Content
This is more than possible, i have this setup myself
I have a VLAN called CCTV, which as you can guess is for the CCTV camera. I don't want that to be accessible to my own personal LAN, except on specific ports used for viewing the CCTV recorder. Note that the PERMIT for the CCTV recorder ports are higher (above) the deny all rule.
I therefore created a profile port group as shown below
If you set the IP Subnet as your guest network (eg 192.168.2.1) on a /24 that will allow anyone on the guest vlan. Add the ports you require and save this
Create a switch ACL and ALLOW this profile access to the LAN you wish to restrict (personal lan)
THen create a second switch ACL and block ALL from the guest network to the personal lan (as you had earlier)
Ensure that the PERMIT is higher (above) and DENY.. This should work for you in blocking ALL, except the ports you have defined.
Hope that helps!
- Copy Link
- Report Inappropriate Content
Thank for reply, I try to make the rule but the problem is on return traffic.
I explain:
I block all traffic from LAN2 to LAN1 but the rule block the return traffic, infact if i try to use Mikrotik Winbox to connect one device in LAN2 with a pc in LAN1 is not possible.
To do this I must to create a rule that permit traffic from LAN2 to the single IP in LAN1 that run Mikrotik Winbox app. In that way all work correctly.
The firewall rule does not create automaaticaly return rule....
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1291
Replies: 4
Voters 0
No one has voted for it yet.