cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
azaloum90
New Contributor II

Separating VLAN subnets from communication

Hello,

Running an Adtran NetVanta 3120 Firewall.  network is up and running properly.  Ran Firewall wizard and configured internet access for both VLAN interfaces (VLAN1 = 192.168.1.0, VLAN2 = 192.168.2.0).

Ports 1 and 2 are configured for VLAN1, 3 as a trunk (connected to Cisco WAP4410N), and 4 configured for VLAN2 only.

I need 192.168.2.0 to go STRAIGHT out to the WAN port, and bypass the entire VLAN1 network of 192.168.1.0.

When on the wireless networks connected to VLAN2, I get the correct IP address on the 192.168.2.0 network, however I'm still able to communicate with hosts on the 192.168.1.0 network, and I cannot have that as this is for a guest network.

Please advise.

Thanks,

Adam

Labels (2)
6 Replies
jayh
Honored Contributor
Honored Contributor

Re: Separating VLAN subnets from communication

To summarize, I believe that you want both VLAN 1 and VLAN 2 to have public Internet access via NAT from the WAN port and this is working, but you do not want VLAN 1 and VLAN 2 to communicate with each other, is this correct?

Having your existing configuration would be useful, but you probably want two different policy classes for VLAN 1 and VLAN 2.  They're probably both now in "Private".

So assuming that VLAN 2 is your guest network, do something like the following:

Create a new policy class "Guest"

ip policy-class Guest

Copy just the nat source list line from the Private policy class to the Guest policy class.

Put the VLAN 2 interface in the Guest policy class.

interface vlan 2

  ip access-policy Guest

If this doesn't work, or isn't what you want to do, please clarify and post your existing configuration with passwords and sensitive information removed.

azaloum90
New Contributor II

Re: Separating VLAN subnets from communication

the configuration I am using is very simple at this point  its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules.  this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity. therefore, i would need the ensure all other traffic destined for any other internal networks is dropped.   would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets? 

for reference, VLAN2 is indeed a guest network with Wireless access points and no wired nodes other than those access points.

jayh
Honored Contributor
Honored Contributor

Re: Separating VLAN subnets from communication


azaloum90 wrote:



the configuration I am using is very simple at this point  its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules.  this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity.





What I suggested should work, assuming that the WAN port is a public IP and you're doing NAT from the Private to Public zone now.  What it does is to have two separate "Private-like" zones, each of which NATs out to the same public IP but which are separated from each other by policy.

The gateway address for 192.168.2.0/24 won't be 192.168.1.1, by the way.  It will most likely be 192.168.2.1 or whatever the interface IP is on the device for VLAN 2.


would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets?





It isn't the NAT rule as much as creating a different policy-class for the guest wireless than you are using for your business LAN.  The firewall by default blocks all traffic between different policy classes unless it is specifically allowed.  You would be allowing both the "Private" and "Guest" classes to NAT out to the "Public" class but without a rule that permits traffic between them they will be isolated from each other, which is your goal. The names of the zones "Public, Private, Guest" are just reference identifiers interpreted by the software.  You could call them Tom, Dick, and Harry if you wanted, but it might make it harder to remember later.

If my suggestion doesn't work, please post your configuration with passwords deleted.

Message was edited by: jayh Actually, you probably can't name a zone ****.  The forum seems to have a rather aggressive dirty-word filter, but you get the idea. http://en.wikipedia.org/wiki/Scunthorpe_problem

Anonymous
Not applicable

Re: Separating VLAN subnets from communication

The best way to separate/protect the two networks from each other is to put them in different policy classes.  You can duplicate the NAT settings in each of the security zones to NAT to the desired address.  Putting the VLAN interfaces in different policy classes automatically blocks access to one another.

Anonymous
Not applicable

Re: Separating VLAN subnets from communication

:

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi

azaloum90
New Contributor II

Re: Separating VLAN subnets from communication

Hello

Yes, problem is solved. The separate security zones worked like I thought.

I replicated NAT rules from the original security zone and all worked as

expected

Thanks again!

Adam

On Nov 7, 2013 11:58 AM, "levi" <adtran@adtran.hosted.jivesoftware.com>