Hi!
I’m looking for some recommendations. I have multiple VLANs, each mapping to their own interface and firewall zone. Just for the sake of argument, let’s call them lan, guest and iot. There is also the wan zone as usual.
Now, in my firewall’s default configuration, I set INPUT in the guest and iot zones to REJECT, and to DROP in wan as I don’t want devices on those networks to be talking to the router. The exception is lan, where I set it to ACCEPT so I can get to the router from devices in my trusted perimeter.
Now, I need devices in guest and iot to reach the router for some services: DHCP, IGMP, DNS, etc.
I can set up traffic rules for those, but it gets a little unwieldy. Since I don’t want wan to have that same kind of access, I need to duplicate each of the traffic rules to each of the “untrusted” zones within my network (guest and iot).
Either that, or make the top rule a wan drop but then I can’t rely on default zone rules for dropping and the traffic rules would eventually get pretty messy as I add things.
Now, in this example things are still relatively manageable. Now imagine I have multiple WAN interfaces (regular one straight to the ISP, plus some VPN tunnels to different places). I want traffic from all of these WAN interfaces to be dropped by default, but some traffic allowed depending on specifics.
On top of that, I may want to add more VLANs that will also need access to basic networking services on the router, so adding individual rules for each VLAN gets pretty complex pretty quick.
What’s a good way to approach this that will allow me to keep the default zone settings as defaults, and only use traffic rules for hole punching?