11341 questions

13514 answers

21177 comments

31665 members

0 votes
2,100 views 4 comments
by
Hello,

I have set up three LAN networks on a RUT950 with latest firmware installed (RUT9XX_R_00.06.00.4):

LAN1: 192.168.130.xxx/24 with DHCP enabled

LAN2: 192.168.150.xxx/24 with DHCP enabled

LAN3: 192.168.170.xxx/24 with DHCP enabled

I've assigned each network to it's own port based VLAN:

LAN1 - Port1

LAN2 - Port2

LAN3 - Port3

However when I connect a PC to any of these LAN ports I can ping IP addresess on the other LAN networks.

Is this correct? I was expecting each LAN network, within its own VLAN, to be unable to communicate with devices on the other LAN networks.

Is there any way I can ensure that devices cannot communicate between LANs.

Thanks in advance for any responses.

2 Answers

+1 vote
by

Hi,

You can set up zone forwarding rules that will drop packets sent between your networks. You can conifgure this via the Network  Firewall → General Settings  Zone Forwarding page. You'll find the documentation for that page here

Best answer
by

Hi, thanks for the response.

I have configured Zone Forwarding as follows but can still ping IP addresses on the other VLAN ports.

Currently the router is out of the system and I'm testing this by pinging the default gateway for each LAN.

Am I still missing something?

by
Thanks Dziugas, your solution solved the problem (see comments in the second answer).
by
Glad to hear it. I was going to test it to see why it might not have worked, but I haven't really had the chance to do so the past day. Anyway, I'm glad everything worked out. Good luck using the router!
0 votes
by

Hi,

To block communication between gateways try something like this (Network -> Firewall -> Custom Rules):

iptables -A INPUT -s 192.168.130.1/24 -d 192.168.150.1/24 -j DROP

iptables -A INPUT -d 192.168.130.1/24 -s 192.168.150.1/24 -j DROP

iptables -A INPUT -s 192.168.130.1/24 -d 192.168.170.1/24 -j DROP

iptables -A INPUT -d 192.168.130.1/24 -s 192.168.170.1/24 -j DROP

iptables -A INPUT -s 192.168.150.1/24 -d 192.168.170.1/24 -j DROP

iptables -A INPUT -d 192.168.150.1/24 -s 192.168.170.1/24 -j DROP

by
Thanks, when I added these rules this seemed to work and I couldn't ping the other default gateways. However when the RUT950 was power cycled it seemed as if these rules were being ignored.

However I don't think this matters because even though its possible to ping remote gateways from another VLAN, Dziugas answer above solved the problem of being able to ping across VLANs from physical controllers etc.