Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
2021-12-04 13:48:25

Hi everyone,

I install Omada controller that manage one ER605, one TL-SG2008P and one EAP245.

 

I create two different LAN, the first is my work lan (LAN1) and the second is for guest(LAN2). At this moment the guest lan is assigned only at one port of the switch.

I and I want to permit traffic between LAN1 and LAN2 but drop from LAN2 to LAN1.

 

I create a switch ACL rule like this: (LAN1 is Lan_casa, and LAN2 is LAN_alloggio)

But it block traffic from LAN1 to LAN2 and also from LAN2 to LAN1; where is the error??

 

Thank for reply.....

  0      
  0      
#1
Options
4 Reply
Re:Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
2021-12-04 17:22:12

@GDU 

 

Can I ask what you are looking to achieve with this blocking?  Is this for a specific piece of software?

 

The reason I ask is blocking traffic from LAN 2 to LAN 1 could cause traffic issues, as traffic is unable to reply to the sender to indicate that it has received the packet correctly.   This will really only work for UDP traffic where there is no requirement for acknowledgement to be sent.

 

For example, PING would fail from LAN 1 to LAN 2, even though LAN 1 will send the packet to LAN 2.. LAN 2 cannot reply therefore PING will fail.  Could this be the issue you are experiencing?

 

You may need to open specific ports to allow whatever app you require to actually send from LAN 2 to LAN 1, and obviously block everything else.

 

  0  
  0  
#2
Options
Re:Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
2021-12-05 14:31:48

@Philbert 

HI,

I want to block traffic between lan as one is for guests and one is for me, I want guests to browse but not see my network. The tests I did by pinging between one lan and another; in fact if I remove ICMP from blocked protocols or add a rule that allows ICMP everything works.
On other devices added it doesn't work like that, the return rule works automatically ... that's why I didn't understand.

 

Take this opportunity to ask if in addition to the protocols present it is possible to activate some custom ones? For example, I would need to grant traffic on port 8291

 

Thanks....

  0  
  0  
#3
Options
Re:Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
2021-12-05 17:45:17 - last edited 2021-12-05 17:45:37

@GDU 

 

This is more than possible, i have this setup myself

 

 

I have a VLAN called CCTV, which as you can guess is for the CCTV camera.  I don't want that to be accessible to my own personal LAN, except on specific ports used for viewing the CCTV recorder.   Note that the PERMIT for the CCTV recorder ports are higher (above) the deny all rule.  

 

I therefore created a profile port group as shown below

 

If you set the IP Subnet as your guest network (eg   192.168.2.1) on a /24 that will allow anyone on the guest vlan.  Add the ports you require and save this

 

Create a switch ACL and ALLOW this profile access to the LAN you wish to restrict (personal lan)

THen create a second switch ACL and block ALL from the guest network to the personal lan (as you had earlier)

 

Ensure that the PERMIT is higher (above) and DENY.. This should work for you in blocking ALL, except the ports you have defined.

 

Hope that helps!

 

 

  0  
  0  
#4
Options
Re:Permit traffic from LAN1 to LAN2 and drop traffic from LAN2 to LAN1
2021-12-12 15:04:21

@Philbert 

Thank for reply, I try to make the rule but the problem is on return traffic.

I explain:

I block all traffic from LAN2 to LAN1 but the rule block the return traffic, infact if i try to use Mikrotik Winbox to connect one device in LAN2 with a pc in LAN1 is not possible.

To do this I must to create a rule that permit traffic from LAN2 to the single IP in LAN1 that run Mikrotik Winbox app. In that way all work correctly.

 

The firewall rule does not create automaaticaly return rule....

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 1322

Replies: 4

Related Articles