RT2600ac Crazy question (Router Firewall rules)

[Jan Janowski]

Crazy idea: Is it possible (legal) that a firewall rule like this could exist and work?

TCP/UDP, all ports, IP RANGE:192.168.1.160-.255, TCP/UDP, all ports, IP RANGE: 192.168.1.2-.159 DENY

Not near it to test. Thank you

 

[fredbert]

Provided that the connection reaches the firewall then that rule would work. I assume .1 is on one side/VLAN and .2 is on another side/VLAN.

 

[Jan Janowski]

Trying to avoid VLAN
But just occurred to me. Port 3 of 2600 goes to unmanaged switch, so, in theory… switch is occurring before 2600….
So maybe NOT!
I see I didn’t lay out System here with this in mind….

So, let me re-phrase this….
If .2….159 was on port 1 of 2600, and port two contained .160…..255

Would the rule then work???

 

[fredbert]

I mis-read your second IP range as there was a comma in it. Didn’t notice they are both on the same 192.168.1.x range. You have to have these ranges correctly defined in the router/firewall so they actually get to the firewall functionality.

The firewall has to see these ranges as distinct separate subnets associated with specific VLANs. The routing table has to know which next hop gateway (or router VLAN interface) is used to send on to these subnets.

In general the firewall won’t be used for mediating connections that it believes are on the same LAN/VLAN subnet.

 

[Jan Janowski]

Thanks. I make a lot of errors
Need to read more!

 

[Gerard]

I know the nas has a drop down so that you can set firewall rules on each interface.

Idk about router manager, but if it’s the same instead of doing the firewall rules in all interfaces drop down you would do a rule of 192.168.1.2-.159 allow on interface 1 and then 192.169.1.160-.254 of interface 2.

 

[fredbert]

Now I'm not looking on my phone....

The best you can do is to split the single 192.168.1.0/24 subnet and, in SRM terms, assign each new smaller subnet to different LAN-side VLANs.

VLAN	Simple Design	Complex design #1	Complex design #2
A	Single subnet 192.168.1.0/25 (.0 - .128)	Primary subnet 192.168.1.0/25 (.0 - .128) Router on VLAN A as gateway to secondary subnet 192.168.1.129/27 (.129 - .159) SRM routing table updated to use Router on VLAN A IP as next hop for secondary subnet	Single subnet 192.168.1.0/25 (.0 - .128) Allow full access between VLANs A and A1
A1	--	--	Single subnet 192.168.1.129/27 (.129 - .159) Allow full access between VLANs A and A1
B	Single subnet 192.168.1.129/25 (.129 - .255)	Primary subnet 192.168.1.160/27 (.160 - .191) Router on VLAN B as gateway to secondary subnet 192.168.1.192/26 (.192 - .255) SRM routing table updated to use Router on VLAN B IP as next hop for secondary subnet	Single subnet 192.168.1.160/27 (.160 - .191) Allow full access between VLANs B and B1
B1	--	--	Single subnet 192.168.1.192/26 (.192 - .255) Allow full access between VLANs B and B1