Quelle anzeigen

Description:

Communication between different networks of a router can either be restricted via firewall rules or via interface tags. For simple scenarios, interface tags are a good choice due to the low configuration effort required.

For more complex scenarios, where communication to another network is allowed or forbidden only for individual members, using the interface tags is not recommended, as in this case an additional firewall rule would be needed to remove the interface tag and set the correct tag.

This article describes, how communication between different local networks on a router without WLAN and with permanent Private Mode on the Ethernet interfaces can be restricted via interface tags.

Beachten Sie zur Netztrennung per ARF für weitere Geräte-Typen (Router ohne permanenten Private Mode sowie Router mit WLAN) die folgenden Knowledge Base Artikel:

ARF: Abgrenzen lokaler Netze durch Nutzung des Schnittstellen-Tags auf Routern ohne WLAN (nur Router ohne permanenten Private Mode)

ARF: Abgrenzen lokaler Netze durch Nutzung des Schnittstellen-Tags bei Geräten mit WLAN

Informationen zum Private Mode von Ethernet-Schnittstellen:

Wird der Private Mode auf den Ethernet-Ports aktiviert, können diese nicht miteinander auf Layer 2 kommunizieren (auch, wenn diesen das gleiche logische LAN-Interface zugewiesen ist). Auf Routern mit permanent aktivem Private Mode ist somit erstmal keine Kommunikation zwischen den Ethernet-Ports möglich. Als Workaround kann die Kommunikation über die LAN-Bridge erfolgen, indem den zu den Ethernet-Ports zugehörigen logischen LAN-Interfaces die gleiche Bridge-Gruppe zugewiesen wird. Dies sollte aber nur als Notlösung betrachtet werden.

Requirements:

All routers with permanently active Private Mode on the Ethernet interfaces (all Central Site Gateways, 2100EF, IAP-5G and OAP-5G)
LCOS as of version 9.24 (download latest version)
LANtools as of version 9.24 (download latest version)

Scenario:

The aim is to restrict access between the networks NETWORK1, NETWORK2 and NETWORK3 on the LAN side of the router.

NETWORK1 with the Interface LAN-1 (ETH 1) has the Network ID: 172.16.1.0 and as an employee network should provide access to all other local networks and to the Internet.
NETWORK2 with the Interface LAN-2 (ETH 2) has the Network ID: 172.16.2.0 and as a guest network should provide access to the Internet only.
NETWORK3 with the Interface LAN-3 and LAN-4 (ETH 3 and ETH 4) have the Network ID: 172.16.3.0 and as a server network should not have active access to any other network; however, NETWORK1 should have access to these servers.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > Szenario.jpg

Procedure:

Interface tags can be allocated to the IP networks. This gives you control over the communication between the networks. Routing tags can be allocated in the routing table.
When combined with the interface tags, these make it possible to control which route may be used by which local network.

1) Assigning the interfaces to the networks:

The Ethernet interfaces ETH 5 and higher are not used in this seencario and can therefore be left on the default settings.

1.1) Open the configuration of the router in LANconfig and make sure, that a different LAN interface is assigned to the Ethernet ports ETH 1 to ETH 4 in the menu Interfaces → LAN → Ethernet ports (ETH 1 → LAN-1, ETH 2 → LAN-2 and so on).

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 1.png

1.2) Go to the menu Interfaces → LAN → LAN bridge.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 2.png

1.3) Open the menu Port table.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 3.png

1.4) Make sure, that the bridge group BRG-1 is assigned to the logical interface LAN-1.

Instead of assigning the bridge group BRG-1 it is also possible to select the option none and assign the logical interface LAN-1 to the employee network. However, this is not recommended, as a bridge group is required in some scenarios (e.g. the same bridge group has to be assigned to an L2TP connection and a LAN interface, so that communication via L2TP is possible).

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 4.png

1.5) Assign the bridge group BRG-2 to the logical interface LAN-2.

Instead of assigning the bridge group BRG-2 it is also possible to select the option none and assign the logical interface LAN-2 to the employee network. However, this is not recommended, as a bridge group is required in some scenarios (e.g. the same bridge group has to be assigned to an L2TP connection and a LAN interface, so that communication via L2TP is possible).

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 5.png

1.6) Assign the bridge group BRG-3 to the logical interface LAN-3.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 6.png

1.7 Assign the bridge group BRG-3 to the logical interface LAN-4.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 7.png

2.) Assigning the logical interfaces and interface tags to the IP networks:

IP networks with the interface tag 0 can access all other networks.
IP networks with an interface tag in the range 1-65534 can only access IP networks that use the same interface tag.

You can check the assignment of the IP addresses to the interfaces via the CLI command show ipv4-addresses.

2.1) Go to the menu IPv4 → General → IP networks.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 8.png

2.2) Click Add and subsequently create three new networks.

The entries INTRANET and DMZ should not be removed. As these are also referenced in other menus (e.g. in the DHCP networks) without additional configuration changes this would result in the configuration no longer being able to be written via LANconfig!

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 9.png

2.3) Modify the following parameters for the employee network:

Network name: Enter a descriptive name for the network (in this example NETWORK1).
IP address: Enter an IP address for this network (in this example 172.16.1.1).
Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
Interfaces assignment: Make sure, that the interface BRG-1 is selected.
Interface tag: Make sure, that the tag 0 is selected. This means, that members from this network can access all other local networks.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 10.png

2.4) Modify the following parameters for the guest network:

Network name: Enter a descriptive name for the network (in this example NETWORK2).
IP address: Enter an IP address for this network (in this example 172.16.2.1).
Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
Interface assignment: Select the interface BRG-2 from the dropdown menu.
Interface tag: Enter the tag 1. This means, that members from this network cannot access any other local network.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 11.png

2.5) Modify the following parameters for the Server network:

Network name: Enter a descriptive name for the network (in this example NETWORK3).
IP address: Enter an IP address for this network (in this example 172.16.3.1).
Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
Interface assignment: Select the interface BRG-3 from the dropdown menu.
Interface tag: Enter the tag 2. This means, that members from this network cannot access any other local network.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 12.png

2.6) The list of the IP networks should now appear as follows.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 13.png

3) Creating the routing entry:

As of LCOS 10.40 there is an own table in the FIB (Forwarding Information Base) for each routing tag.

Routing entries with an Internet remote site and the routing tag 0 are copied to all tables in the FIB. This means, that communication from all networks via an Internet connection with routing tag 0 is possible.
Routing entries with an Internet remote site and a routing tag unequal 0 is only copied to the table in the FIB with the corresponding routing tag. this means, that only the network with the corresponding tag can communicate via this routing entry.

Additional information regardíng the routing behavior can be found in the LCOS reference manual:

https://www.lancom-systems.com/docs/LCOS/reference-manual/#topics/informationen_zum_routingverhalten.html

3.1) Go to the menu IP Router → Routing → IPv4 routing table.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 14.png

3.2) Adjust the routing tag of the default route to your needs. In this example the tag was left at 0, so that all networks can communicate with the Internet via this routing entry.

You can also copy the default route and enter a routing tag unequal to 0. In this case only a network with the same interface tag can communicate via this routing entry.

LANCOM Support Knowledge Base EN > ARF: Separating local networks by using interface tags for devices without WLAN (only routers with permanent Private Mode) > 15.png

Thank you for your feedback! You can also send us constructive suggestions for improving our knowledge base or ideas for new articles by email to knowledgebase@lancom.de.