Blocking Tagged vlan traffic from being forwarded to Untagged

sniper8752 · 12-05-2020, 02:51 PM

I have two networks that I would like to keep separated, and not allow them to talk to devices on each other. They both should be able to reach out to the Internet though.
Two subnets: 192.168.100.1/24, 192.168.200.1/24
The bastion/server is running iptables.
On the server, I created a vlan interface (id of 2). As for all other traffic right now, it is not defined/setup, or I guess you could say, "untagged". To stand up the vlan interface (for 200.1) on the server, I followed this tutorial: https://www.voiphow.com/how-to-confi...lan-in-ubuntu/.
Please bear with me as I am learning about this vlan stuff.

I notice that from my vlan of 2 (200.1 subnet), I am able to ping traffic on 100.1, which I would like to prevent and keep separate. How do I do this? I believe the answer is with iptables, but I am not sure.

EDIT:
Behind the server, I have a smart switch. I am using 802.1Q VLAN. All ports except 2 are part of vlan1 and are untagged. I put port 2 as a tagged port, of vlan ID 2.

ferrari · 12-05-2020, 03:44 PM

So you need to drop traffic attempting to reach 192.168.100.0/24 from 192.168.200.0/24, but do allow access to public IP addresses....

Add

Code:

iptables -I FORWARD -s 192.168.200.0/255.255.255.0 -d 192.168.100.0/255.255.255.0 -j DROP

This will capture traffic attempting to reach the 192.168.100.0/24 network. Then add another rule immediately after this so that WAN traffic is still able to pass through...

Code:

iptables -A FORWARD -s 192.168.200.0/255.255.255.0 -d 0.0.0/0.0.0.0 -j ACCEPT

sniper8752 · 12-10-2020, 05:31 PM

It seems to work, for the most part. I can not ping any hosts on 100, except for one: the other interface (internal) on the server. I am not sure if this matters, but it is in PROMISC mode.