6 Replies Latest reply on Nov 7, 2013 10:19 AM by azaloum90

    Separating VLAN subnets from communication

    azaloum90 New Member

      Hello,

       

      Running an Adtran NetVanta 3120 Firewall.  network is up and running properly.  Ran Firewall wizard and configured internet access for both VLAN interfaces (VLAN1 = 192.168.1.0, VLAN2 = 192.168.2.0).

       

      Ports 1 and 2 are configured for VLAN1, 3 as a trunk (connected to Cisco WAP4410N), and 4 configured for VLAN2 only.

       

      I need 192.168.2.0 to go STRAIGHT out to the WAN port, and bypass the entire VLAN1 network of 192.168.1.0.

       

      When on the wireless networks connected to VLAN2, I get the correct IP address on the 192.168.2.0 network, however I'm still able to communicate with hosts on the 192.168.1.0 network, and I cannot have that as this is for a guest network.

       

      Please advise.

       

      Thanks,

       

      Adam

        • Re: Separating VLAN subnets from communication
          jayh Hall_of_Fame

          To summarize, I believe that you want both VLAN 1 and VLAN 2 to have public Internet access via NAT from the WAN port and this is working, but you do not want VLAN 1 and VLAN 2 to communicate with each other, is this correct?

           

          Having your existing configuration would be useful, but you probably want two different policy classes for VLAN 1 and VLAN 2.  They're probably both now in "Private".

           

          So assuming that VLAN 2 is your guest network, do something like the following:

           

          Create a new policy class "Guest"

           

          ip policy-class Guest

           

          Copy just the nat source list line from the Private policy class to the Guest policy class.

           

          Put the VLAN 2 interface in the Guest policy class.

           

          interface vlan 2

            ip access-policy Guest

           

          If this doesn't work, or isn't what you want to do, please clarify and post your existing configuration with passwords and sensitive information removed.

            • Re: Separating VLAN subnets from communication
              azaloum90 New Member

              the configuration I am using is very simple at this point  its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules.  this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity. therefore, i would need the ensure all other traffic destined for any other internal networks is dropped.   would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets? 

               

              for reference, VLAN2 is indeed a guest network with Wireless access points and no wired nodes other than those access points.

                • Re: Separating VLAN subnets from communication
                  jayh Hall_of_Fame

                  azaloum90 wrote:

                   

                  the configuration I am using is very simple at this point  its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules.  this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity.

                  What I suggested should work, assuming that the WAN port is a public IP and you're doing NAT from the Private to Public zone now.  What it does is to have two separate "Private-like" zones, each of which NATs out to the same public IP but which are separated from each other by policy.

                   

                  The gateway address for 192.168.2.0/24 won't be 192.168.1.1, by the way.  It will most likely be 192.168.2.1 or whatever the interface IP is on the device for VLAN 2.

                  would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets?

                  It isn't the NAT rule as much as creating a different policy-class for the guest wireless than you are using for your business LAN.  The firewall by default blocks all traffic between different policy classes unless it is specifically allowed.  You would be allowing both the "Private" and "Guest" classes to NAT out to the "Public" class but without a rule that permits traffic between them they will be isolated from each other, which is your goal. The names of the zones "Public, Private, Guest" are just reference identifiers interpreted by the software.  You could call them Tom, ****, and Harry if you wanted, but it might make it harder to remember later.

                   

                  If my suggestion doesn't work, please post your configuration with passwords deleted.

                   

                  Message was edited by: jayh Actually, you probably can't name a zone ****.  The forum seems to have a rather aggressive dirty-word filter, but you get the idea. http://en.wikipedia.org/wiki/Scunthorpe_problem

                    • Re: Separating VLAN subnets from communication
                      vmaxdawg05 Past_Featured_Member

                      The best way to separate/protect the two networks from each other is to put them in different policy classes.  You can duplicate the NAT settings in each of the security zones to NAT to the desired address.  Putting the VLAN interfaces in different policy classes automatically blocks access to one another.

                • Re: Separating VLAN subnets from communication
                  levi Employee

                  azaloum90:

                   

                  I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                   

                  Thanks,

                  Levi