Firewall configuration

Routers
1

Hi all
I'm trying to setup a DMZ in my Flint 2
I've created several vlans using vlan filtering:

image
image893×395 16.9 KB

VLAN 10 is DMZ VLAN, it should have access to the internet, but no access to my lan
I've created interface on br-lan.10
image
image902×419 17.3 KB

And assigned it to DMZ zone
image
image909×211 12.7 KB

Here's my fw setup:
image
image980×836 38.3 KB

In my understanding a client from dmz shouldn't have access to lan, however:
image
image704×335 4.35 KB

Why the host from DMZ vlan is still able to reach a host from lan?

2

Because your default setting is to allow?

You set up a bridge, so it would be helpful to see what is included in your bridge. Also, if you kept that interface in your lan bridge, and your vlans are only tagged with no default, i am not sure the firewall would even be in play. Perhaps someone way smarter than I am can look into this further with you, but when I set up my vlans, I just assigned the interface and did not configure a new bridge and all of my vlans are untagged allowing my swtich to control vlan membership.

1 Like
3

There's a screenshot with my bridge setup:

image
image893×395 16.9 KB

Other settings below:
image
image891×676 23.4 KB

image
image893×934 20.7 KB

I have a separate interface for each VLAN on the same bridge
image
image1011×446 27.2 KB

Should I move my vlans to different bridges to make the firewall work?

4

Still looking for some help on this

5

It truns out the default input action should be deny indeed, and in order to prevent complete router unavailability I had to create allow rule to "this device" first

image
image593×174 5.7 KB

1 Like