DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2765Vac

  • dutchenery
  • Topic Author
  • Offline
  • New Member
  • New Member
More
16 Oct 2023 17:10 #102931 by dutchenery
Vigor 2765Vac was created by dutchenery
Hi, having set up 3 VLANs on the router, one for Voip, one for Guest and one for TV (both Guest and TV are on the wifi part only), I just wonder how to also get these on a firewall. Obviously the router firewall is set and the mainframe computer (Linux Mint) also runs ufw which is set to the basic setting. Plus I run a VPN. So, how do I actually safeguard the VLANs. Is there a way to do this on the router? I assume that as I only use the inbuilt switch of the router it would have to be the router firewall? Any ideas very welcome.

Please Log in or Create an account to join the conversation.

More
25 Oct 2023 10:10 #102944 by HodgesanDY
Replied by HodgesanDY on topic Re: Vigor 2765Vac
Hi Dutchenery,

Yes, your Vigor router has a FW on it already, and now that you have separate VLANs established, you can start using the FW to block, and then allow, traffic between the different LANs(subnets) if you so desire.

If you want to allow traffic between the different LANs though, you’ll first need to enable the Inter-LAN options, but if you’re only concerned about WAN traffic and VPN traffic, you won’t need to bother yourself with enabling the Inter-LAN options.

Your Vigor router’s firewall will only control traffic flowing from one subnet (LAN/VPN/WAN/DMZ etc) to another subnet, it can’t control traffic flowing between nodes on the same subnet i.e. two PCs on say, LAN1, for example.

The exception to this though, is a VPN dialled-in user that is joining an existing LAN on your router. In that scenario you can use the FW to block, and then allow, traffic between the remote user and the nodes on the same subnet; because their established connections to that subnet are different.
So yes, you can lock-down a dial-in user who is joining your network and the same goes for a LAN-to-LAN VPN connection.

When it comes to LAN-to-LAN VPN connections with multiple subnets at each remote end, connections between these additional remote subnets will not be accessible by default, these will need adding to the LAN-to-LAN TCP/IP Network settings if you want these remote subnets to communicate.

FYI, by default, VPN connections have full access to the network they’re initially given access to, unlike LAN subnets, where, once established, the Inter-LAN options have to be enabled for full access to be granted between them.

So for best practises, it is vital to establish a total BLOCK rule for every inter-connected LAN/VPN/DMZ that you want to enable, then, you can cherry-pick what you want to allow through the FW; do this before establishing the connection(s), rather than giving them access and then trying to plug the wide-open hole you’ve created for them.

Please Log in or Create an account to join the conversation.

Moderators: Sami