Description:
Communication between different networks of a router can either be restricted via firewall rules or via interface tags. For simple scenarios, interface tags are a good choice due to the low configuration effort required.
For more complex scenarios, where communication to another network is allowed or forbidden only for individual members, using the interface tags is not recommended, as in this case an additional firewall rule would be needed to remove the interface tag and set the correct tag.
This article describes, how communication between different local networks on a router without WLAN and with permanent Private Mode on the Ethernet interfaces can be restricted via interface tags.
Please note the following Knowledge Base articles regarding the network separation via ARF for additional device types (routers without permanently active Private Mode and routers with WLAN):
ARF: Separating local networks by using interface tags for devices with WLAN
Information regarding the Private Mode of Ethernet interfaces:
If the Private Mode is activated on the Ethernet ports, these cannot communicate with each other via Layer 2 (even when the same logical LAN interface is assigned). This means, that on routers with permanently active Private Mode no communication between the Ethernet ports is possible. As a workaround, communication can be established via the LAN bridge by assigning the same bridge group to the logical LAN interfaces associated with the Ethernet ports. However, this should only be considered a temporary solution.
Requirements:
- All routers with permanently active Private Mode on the Ethernet interfaces (all Central Site Gateways, 2100EF, IAP-5G and OAP-5G)
- LCOS as of version 9.24 (download latest version)
- LANtools as of version 9.24 (download latest version)
Scenario:
The aim is to restrict access between the networks NETWORK1, NETWORK2 and NETWORK3 on the LAN side of the router.
- NETWORK1 with the Interface LAN-1 (ETH 1) has the Network ID: 172.16.1.0 and as an employee network should provide access to all other local networks and to the Internet.
- NETWORK2 with the Interface LAN-2 (ETH 2) has the Network ID: 172.16.2.0 and as a guest network should provide access to the Internet only.
- NETWORK3 with the Interfaces LAN-3 and LAN-4 (ETH 3 and ETH 4) has the Network ID: 172.16.3.0 and as a server network should not have active access to any other network; however, NETWORK1 should have access to these servers.
Procedure:
- Interface tags can be allocated to the IP networks. This gives you control over the communication between the networks. Routing tags can be allocated in the routing table.
- When combined with the interface tags, these make it possible to control which route may be used by which local network.
1) Assigning the interfaces to the networks:
The Ethernet interfaces ETH 5 and higher are not used in this scenario and can therefore be left on the default settings.
1.1) Open the configuration of the router in LANconfig and make sure, that a different LAN interface is assigned to each of the Ethernet ports ETH 1 to ETH 4 in the menu Interfaces → LAN → Ethernet ports (ETH 1 → LAN-1, ETH 2 → LAN-2 and so on).
1.2) Go to the menu Interfaces → LAN → LAN bridge.
1.3) Open the menu Port table.
1.4) Make sure, that the bridge group BRG-1 is assigned to the logical interface LAN-1.
Instead of assigning the bridge group BRG-1 it is also possible to select the option none and assign the logical interface LAN-1 to the employee network. However, this is not recommended, as a bridge group is required in some scenarios (e.g. the same bridge group has to be assigned to an L2TP connection and a LAN interface, so that communication via L2TP is possible).
1.5) Assign the bridge group BRG-2 to the logical interface LAN-2.
Instead of assigning the bridge group BRG-2 it is also possible to select the option none and assign the logical interface LAN-2 to the guest network. However, this is not recommended, as a bridge group is required in some scenarios (e.g. the same bridge group has to be assigned to an L2TP connection and a LAN interface, so that communication via L2TP is possible).
1.6) Assign the bridge group BRG-3 to the logical interface LAN-3.
1.7 Assign the bridge group BRG-3 to the logical interface LAN-4.
2.) Assigning the logical interfaces and interface tags to the IP networks:
- IP networks with the interface tag 0 can access all other networks.
- IP networks with an interface tag in the range 1-65535 can only access IP networks that use the same interface tag.
You can check the assignment of the IP addresses to the interfaces via the CLI command show ipv4-addresses.
2.1) Go to the menu IPv4 → General → IP networks.
2.2) Click Add and subsequently create three new networks.
The entries INTRANET and DMZ should not be removed. As these are also referenced in other menus (e.g. in the DHCP networks) without additional configuration changes this would result in the configuration no longer being able to be written via LANconfig!
2.3) Modify the following parameters for the employee network:
- Network name: Enter a descriptive name for the network (in this example NETWORK1).
- IP address: Enter an IP address for this network (in this example 172.16.1.1).
- Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
- Interfaces assignment: Make sure, that the interface BRG-1 is selected.
- Interface tag: Make sure, that the tag 0 is stored. This means, that members from this network can access all other local networks.
2.4) Modify the following parameters for the guest network:
- Network name: Enter a descriptive name for the network (in this example NETWORK2).
- IP address: Enter an IP address for this network (in this example 172.16.2.1).
- Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
- Interface assignment: Select the interface BRG-2 from the dropdown menu.
- Interface tag: Enter the tag 1. This means, that members from this network cannot access any other local network.
2.5) Modify the following parameters for the Server network:
- Network name: Enter a descriptive name for the network (in this example NETWORK3).
- IP address: Enter an IP address for this network (in this example 172.16.3.1).
- Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
- Interface assignment: Select the interface BRG-3 from the dropdown menu.
- Interface tag: Enter the tag 2. This means, that members from this network cannot access any other local network.
2.6) The list of the IP networks should now appear as follows.
3) Creating the routing entry:
As of LCOS 10.40 there is an own table in the FIB (Forwarding Information Base) for each routing tag.
- Routing entries with an Internet remote site and the routing tag 0 are copied to all tables in the FIB. This means, that communication from all networks via an Internet connection with routing tag 0 is possible.
- Routing entries with an Internet remote site and a routing tag unequal 0 are only copied to the table in the FIB with the corresponding routing tag. This means, that only the network with the corresponding tag can communicate via this routing entry.
Additional information regardíng the routing behavior can be found in the LCOS reference manual:
3.1) Go to the menu IP Router → Routing → IPv4 routing table.
3.2) Adjust the routing tag of the default route to your needs. In this example the tag was left at 0, so that all networks can communicate with the Internet via this routing entry.
You can also copy the default route and enter a routing tag unequal to 0. In this case only a network with the same interface tag can communicate via this routing entry.
