Hello All, so I wanted to add a couple of VLANS, and setup a firewall so that each VLAN cannot communicate to systems on the other VLANS. I got that working, but it would appear I broke my port-forwarding in the process.
My setup is:
eth0: Internet (Centurylink 1G PPPOE)
eth1: 10.192.20.1 (main network, pvid 1)
eth1.30 (vlan 30)
eth1.40 (vlan 40)
eth1.80 (vlan 80)
eth2: 10.168.20.1 (test network, will be removing it)
All my systems currently are on the default pvid 1, and I wanted to move some systems to 30, some to 40, and some to 80. I setup the rules / groups based on previous postings, and things are working great. Then I noticed that port forwarding via the internet to systems on pvid 1 no longer work. The issues appears to be when I add the eth1 to the vlan_in firewall rule, but I can't figure out the right way to "fix it" yet. I also would like systems on PVID1 to be able to communicate to other VLANS, but the rule I have setup now kills that, so any pointers would be great.
Here is my config:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group ET-A {
description "Emerging Threats addresses"
}
address-group ET-N {
description "Emerging Threats networks"
}
address-group VLANROUTER_IP {
address 10.192.30.1
address 10.192.40.1
address 10.192.80.1
address 10.192.20.1
}
network-group VLAN_NETS {
network 10.192.30.0/24
network 10.192.40.0/24
network 10.192.80.0/24
network 10.192.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VLAN_IN {
default-action accept
rule 10 {
action accept
destination {
group {
address-group VLANROUTER_IP
}
}
}
rule 20 {
action drop
destination {
group {
network-group VLAN_NETS
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log enable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action drop
description "drop ET-N"
log enable
source {
group {
address-group ET-N
}
}
}
rule 40 {
action drop
description "drop ET-A"
log enable
source {
group {
address-group ET-A
}
}
}
}
options {
mss-clamp {
interface-type pppoe
mss 1452
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "CenturyLink Fiber"
duplex auto
speed auto
vif 201 {
description "CenturyLink Fiber 201 VLAN"
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ************
user-id ***************
}
}
}
ethernet eth1 {
address 10.192.20.1/24
description "Green Net"
duplex auto
firewall {
in {
name VLAN_IN
}
}
speed auto
vif 30 {
address 10.192.30.1/24
description VLAN30
firewall {
in {
name VLAN_IN
}
}
mtu 1500
}
vif 40 {
address 10.192.40.1/24
description VLAN40
firewall {
in {
name VLAN_IN
}
}
mtu 1500
}
vif 80 {
address 10.192.80.1/24
description VLAN80
firewall {
in {
name VLAN_IN
}
}
mtu 1500
}
}
ethernet eth2 {
address 10.168.20.1/24
description "TEST Net"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
lan-interface eth1.30
lan-interface eth1.80
rule 1 {
description 1
forward-to {
address 10.192.20.70
port 88
}
original-port 9191
protocol tcp_udp
}
rule 2 {
description 2
forward-to {
address 10.192.20.71
port 80
}
original-port 9292
protocol tcp_udp
}
rule 3 {
description 3
forward-to {
address 10.192.20.72
port 80
}
original-port 9393
protocol tcp_udp
}
rule 4 {
description 4
forward-to {
address 10.192.20.73
port 80
}
original-port 9494
protocol tcp_udp
}
rule 5 {
description 5
forward-to {
address 10.192.20.74
port 88
}
original-port 9595
protocol tcp_udp
}
rule 6 {
description 6
forward-to {
address 10.192.20.75
port 88
}
original-port 9696
protocol tcp_udp
}
rule 7 {
description 7
forward-to {
address 10.192.20.76
port 88
}
original-port 9797
protocol tcp_udp
}
rule 8 {
description 9
forward-to {
address 10.192.20.78
port 88
}
original-port 9998
protocol tcp_udp
}
rule 9 {
description Obi202-1
forward-to {
address 10.192.20.50
port 16600-16798
}
original-port 16600-16798
protocol tcp_udp
}
rule 10 {
description Obi202-2
forward-to {
address 10.192.20.50
port 16800-16998
}
original-port 16800-16998
protocol tcp_udp
}
rule 11 {
description Obi202-3
forward-to {
address 10.192.20.50
port 17000-17098
}
original-port 17000-17098
protocol tcp_udp
}
rule 12 {
description Obi202-4
forward-to {
address 10.192.20.50
port 17100-17198
}
original-port 17100-17198
protocol tcp_udp
}
rule 13 {
description Obi202-5
forward-to {
address 10.192.20.50
port 5060-5080
}
original-port 5060-5080
protocol tcp_udp
}
rule 14 {
description Obi202-6
forward-to {
address 10.192.20.50
port 10000
}
original-port 10000
protocol udp
}
rule 15 {
description OpenVPN
forward-to {
address 10.192.20.13
port 1194
}
original-port 1194
protocol udp
}
rule 16 {
description Sling1
forward-to {
address 10.192.20.17
port 5001
}
original-port 5001
protocol tcp
}
rule 17 {
description Sling2
forward-to {
address 10.192.20.16
port 5003
}
original-port 5003
protocol tcp
}
rule 18 {
description IPSECVPN-1
forward-to {
address 10.192.20.13
port 4500
}
original-port 4500
protocol udp
}
rule 19 {
description IPSECVPN-2
forward-to {
address 10.192.20.13
port 500
}
original-port 500
protocol udp
}
rule 20 {
description 8
forward-to {
address 10.192.20.77
port 88
}
original-port 9999
protocol tcp_udp
}
rule 21 {
description "TEST"
forward-to {
address 10.168.20.80
port 443
}
original-port 443
protocol tcp
}
wan-interface pppoe0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name GreenNet {
authoritative disable
subnet 10.192.20.0/24 {
default-router 10.192.20.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 10.192.20.101 {
stop 10.192.20.199
}
}
}
shared-network-name VLAN40 {
authoritative disable
subnet 10.192.40.0/24 {
default-router 10.192.40.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 10.192.40.100 {
stop 10.192.40.150
}
}
}
}
dns {
dynamic {
interface pppoe0 {
service dyndns {
host-name *******
login *******
password ******
server domains.google.com
}
}
}
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on eth1.30
listen-on eth1.40
listen-on eth1.80
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
log disable
outbound-interface pppoe0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ****** {
authentication {
encrypted-password
plaintext-password
}
full-name
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
pppoe enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 10.192.20.95 {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task update-ET {
executable {
path /config/scripts/update-ET-groups
}
interval 1d
}
}
time-zone America/Denver
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1057 */