Overview

This article reviews three different scenarios for blocking LAN to VLAN2 routing, as well as some other techniques to fine-tune the interVLAN communication.

NOTES & REQUIREMENTS: Applies to our USG and UDM models with current stable firmware versions . We recommend to always upgrade to the newest version, downloadable here

Table of Contents

Introduction

Back to Top

Inter-VLAN routing is enabled by default between all Corporate LAN networks. In this article, blocking LAN to VLAN2 will be demonstrated, as well as some other techniques to fine-tune your inter-VLAN communication on corporate networks. This article was written using a USG, but same configuration can be made for the UDM models.

Option 1: Disable inter-VLAN routing between LAN and VLAN2

Back to Top

1. To disable inter-VLAN routing between LAN and VLAN2, head to the UniFi Network Controller and go to Settings > Routing & Firewall > Firewall > Rules > LAN IN1

2. Create a new rule that Drops or Rejects2 with the configuration shown below.

Name: to your liking.

Enabled: ON

Rule Applied: before Predefined Rules

Action: Drop or Reject2

Protocol: All

Logging: to your liking

States: all unchecked (assumes all states)

Don't match on IPsec packets

Source Type: Network

Network: LAN - NETv43

Destination Type: Network

Network: VLAN2 - NETv4

NOTE: 1.LAN IN is where you want to filter all of your LAN/VLAN traffic, as IN is the first point of entry to the firewall, no matter the interface. The OUT ruleset will only be used in rare special cases. 2. "Drop" will completely drop the traffic resulting in a "request timed out" message on the client; "Reject" will send back a connection refused packet to the client. 3. NETv4 includes the entire network, ADDRv4 only includes the USG's interface address for that network (ex 192.168.1.1-192.168.1.254 vs 192.168.1.1)

Option 2: Block all VLANs to one another

Back to Top

1. First create a firewall group containing the RFC1918 private address range 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This is done in Settings > Routing & Firewall > Firewall > Groups > Create New Group and then click Save. See the screenshot below:

2. Still within Firewall Settings, move from the Groups tab to the Rules IPv4 tab, select LAN IN1 and click Create New Rule, filling in the following configuration data:

CREATE NEW RULE

Name: to your liking

Enabled: ON

Rule Applied: Before redefined rules

Action: Drop or Reject2

IPv4 Protocol: all



ADVANCED

Logging: to your liking

States: all unchecked

IPsec: Don't match on IPsec packets



SOURCE

Source Type: Address/Port Group

IPv4 Address group: RFC1918 (the name of the group created in step 1)

Port Group: Any

MAC Address: Leave blank



DESTINATION

Destination Type: Address/Port Group

IPv4 Address Group: RFC1918

Port Group: Any

Using the above rule will block all private network communication between VLANs, however, same-subnet/VLAN traffic will be allowed as expected because it will never be sent to the default gateway (USG). The data will traverse the layer 2 network and be transmitted via frames by the switches in between.

Option 3: Block LAN to VLAN2, but allow VLAN2 to LAN

Back to Top

If you the objective is to block LAN to VLAN2, but allow VLAN2 to LAN, follow Option 1 first, then proceed with creating a rule at the top (first rule) of LAN_IN like the below screenshot. Adding this rule at the top of the ruleset will allow all established and related stateful firewall traffic to be able to pass, which is basically all "reply" traffic.

Name: to your liking

Enabled: ON

Rule Applied: before Predefined Rules

Action: Accept

Protocol: Any

Logging: to your liking

States: Established and Related

Don't match on IPsec packets

Source Type: leave blank

Destination Type: leave blank

NOTE: When adding new rules, take into account that they won't take immediate effect on existing stateful connections. To solve this, perform one of the following options: Wait for the states to fall off (close all connections and wait for the state timeout which is roughly 30 seconds)

SSH to the USG and type clear connection-tracking. This wipes the entire state table of the USG

This wipes the entire state table of the USG Reboot the USG

Related Articles

Back to Top

UniFi - USW: Using VLANs with UniFi Wireless, Routing & Switching Hardware

UniFi - VLAN Traffic Tagging