Hello All. I want to preface that I have spent about 3 hours researching this forum and seveal others before asking this question and cant find an exact answer. I am going to provide links to what I think is close, but I am not positve and could use some help.
I'm new to ubiquiti and am trying to to make it so that ports cant see each other.
My wan port(internet comes in on) is eth1. It is named "WAN"
My lan port is eth0 and it is named "Local Network" Th IP is 192.168.1.1/24
my other lan port is eth2 and it is named "Guest Network" The IP is 192.168.2.1/24
I am trying to make it so that my "Guest Network" on eth2 can not see anything or be able to ping any devices on my "Local Network" on eth0. I am currently able to ping the devices. I have confirmed this by using "advanced ip scanner" and a few other programs.
I have read there are 2 ways to accomplish this: one using vlans, and one using firewall rules. I would prefer to use firewall rules because I see no reason to use vlans when I have two different physical ports(eth0, eth2.) I have read there are ways to do this with the gui and not command line. I am not comfortable with using the CLI interface at this point. I am wondering if someone could walk me through exactly how to do this with my exact configuration that you see above. Any help would be greatly appreciated and I would be happy to pay a small amount for help. Thank you
This is not my configuration below. I found this in another post and it seems to be close, but I'm not exactly sure the steps to do this via gui:
If you just want to completely separate the two subnets, it should be fairly straightforward to configure the firewall in the GUI. Basically something like the following two rulesets might work:
- Create one ruleset with default action "accept". Add a single rule that matches destination address 192.168.20.0/22 and action "drop". Apply this ruleset to the "in" direction for the "eth1" interface.
- Create another ruleset with default action "accept". Add a single rule that matches destination address 192.168.10.0/24 and action "drop". Apply this ruleset to the "in" direction for the "eth2" interface.
Maybe you can give this a try (and of course you might need some variations for example if you want to narrow the restrictions etc.) and see if that meet your needs.
Here is the link to that thread: https://community.ubnt.com/t5/EdgeMAX/separate-eth1-from-eth2/td-p/494887