Notice
Issolate Vlans
I am using the business Clearos with the latest version. I have many vlans. I want my vlans to not be able to see each other. For instance v60 is for guest, v30 voip, v20 wireless students, 01 default.
All are tagged except the default.
I was reading on this page. https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_network
I do use 1 to 1 Nat.
Will these instructions work flawlessly. I wish vlans were issolated by default.
below are the instructions incase the link does not work
Thanks,
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuration Extras
Isolating LAN's and VLan's
By default all LAN's and VLAN's can communicate with each other. It you want to isolate them, create a file /etc/clearos/firewall.d/05-isolatedlans and in it put:
#!/bin/bash
# Source networking configuration.
. /etc/clearos/network.conf
# Bail if not ipv4
if [ "$FW_PROTO" != 'ipv4' ]; then
return 0
fi
if [ -n "$LANIF" ]; then
# Add isolation rules
for iLAN in $LANIF; do
for oLAN in $LANIF; do
if [ "$iLAN" != "$oLAN" ]; then
$IPTABLES -I FORWARD -i $iLAN -o $oLAN -j DROP
fi
done
done
fi
# Really all the above should be inserted below the existing "RELATED,ESTABLISHED" rule
# but this is a dirty fix. Delete the existing and add a new one.
$IPTABLES -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Then restart the firewall with a:
systemctl restart firewall.service
All are tagged except the default.
I was reading on this page. https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_network
I do use 1 to 1 Nat.
Will these instructions work flawlessly. I wish vlans were issolated by default.
below are the instructions incase the link does not work
Thanks,
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuration Extras
Isolating LAN's and VLan's
By default all LAN's and VLAN's can communicate with each other. It you want to isolate them, create a file /etc/clearos/firewall.d/05-isolatedlans and in it put:
#!/bin/bash
# Source networking configuration.
. /etc/clearos/network.conf
# Bail if not ipv4
if [ "$FW_PROTO" != 'ipv4' ]; then
return 0
fi
if [ -n "$LANIF" ]; then
# Add isolation rules
for iLAN in $LANIF; do
for oLAN in $LANIF; do
if [ "$iLAN" != "$oLAN" ]; then
$IPTABLES -I FORWARD -i $iLAN -o $oLAN -j DROP
fi
done
done
fi
# Really all the above should be inserted below the existing "RELATED,ESTABLISHED" rule
# but this is a dirty fix. Delete the existing and add a new one.
$IPTABLES -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Then restart the firewall with a:
systemctl restart firewall.service
Share this post:
Accepted Answer
ClearOS has always had a permissive policy between LAN's although I have heard it suggested that we change. It is not something that can be done mid-stream as it could upset a lot of the customer base who are used to the current way of operation. The only way to implement it mid-version would be to add a switch on the firewall to allow the customer to turn on isolation, but to default it to off. I might be able to have a go at the firewall script if I could get to grips with its language (lua), but the UI is much more difficult for me.
It is more likely that I may fix the multiple HotLAN issue in the same document. In theory it should work now but is buggy and requires a different approach to creating the rules. That is only a lua fix and no webconfig.
It is more likely that I may fix the multiple HotLAN issue in the same document. In theory it should work now but is buggy and requires a different approach to creating the rules. That is only a lua fix and no webconfig.
Responses (3)
-
Accepted Answer
Can I add a +1 for this?
Like the OP, I put everything that doesn't need to see anything else on its own VLAN. Predominantly that was via the Hot LAN feature. I discovered recently that all of my Hot LANs can see each other. This is not the desired (or until now even understood) behavior, and I ended up here looking for a solution.
In future releases, a button that allows me to isolate that LAN would be fantastic.
B -
Accepted Answer
Thanks for the quick response. I wasnt really asking a specific person, but I am glad the original programmer answered my question.
I have about 10 plus vlans and dont want any of them to see nothing but their own vlan. I thought tagged vlans were suppose to be issolated by default. I dont mean on clearos, but in the general networking world.
Im no programmer in linux or firewall rules, but I can click on a gui and select what I need. One of the reasons I pay for clearos is its great gui.
I use to use sonicwall and its vlans were issulated from the other vlans, unless you create a rule to open it.
What about 1 to 1 Nat. I go to different vlans depending on the ip and port.
I use this at a college and cannot break the system. I use the gui had an issolate switch on each vlan or something ..
clearos is very stable for us and has saved us a ton of money over the years compared to Sonicwall. -
Accepted Answer
You're asking me to confirm my own work as I wrote it. I tested it at the time as it was a response to a customer request and believe it to be correct.
Note that you may want the Guest LAN to be a HotLAN as this also blocks access to the server apart from DNS and DHCP, but this would complicate the script as noted.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »