Inter VLAN Routing in one direction

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Inter VLAN Routing in one direction

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Inter VLAN Routing in one direction
Inter VLAN Routing in one direction
2022-02-27 21:07:02
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.0

 

Hi,

I am sure this has been asked before on this comunity but I can't find the answer. 

I have a simple test bench set up with a very simple configuration to try and figure out how to ALLOW connectivity between devices on  a Business/Home VLAN to devices on an IOT VLAN but DENY connectivity in the reverse direction. 

As I understand it, this can partly be achieved using ALC but as these are Layer 2 rules and not statefull it appears that you need to set a rule for each direction which sort of defeats the objective. I have, therefore, been trying to set up a layer 3 static route in the ER605 to achieve the connectivity (ie two ACL rules on the SG2218 to block VLAN10 and 11 and a static route between 192.168.10.x and 192.168.11.x to connect the two VLANs in one direction). For some reason I just can't get it to work.

 

I would be grateful for any assistance with this problem as I have been going round and round in circles for days. 
Questions -

  1. Is what I am trying to do actually possible with the above equipment
  2. what static route should I set in the ER605
  3. how should I set the ports (for the VLANs) on each of the ports.

 

 

  0      
  0      
#1
Options
2 Reply
Re:Inter VLAN Routing in one direction
2022-02-28 08:13:11

My suggestion is: just block all routing between the Iot VLAN and main network VLAN. Basically today's IoT devices can be managed by cloud server, so local devices don't need to communicate with the IoT devices directly. Most of the iot manufacturer use AWS as their server so it's security enough. 

  0  
  0  
#2
Options
Re:Inter VLAN Routing in one direction
2022-02-28 10:23:13
Hi Thanks for that suggestion but unfortunately 'managed IOT cloud server' services are exactly what I am trying to avoid. ALL my IOT devices are locally managed and totally independent of the internet (in fact the Internet access will be blocked). I would agree there is a major security implication with this configuration but separate blocked VLANS with a simple single direction Layer 3 static route set between the Home/business and IOTs (with appropriate firewall filtering ie only HTTP/s etc) should mitigate any risks (I hope). The problem is that it just doesn't seem to work on this ER605 router.
  0  
  0  
#3
Options