VLAN Connection to the Internet

[Strikermed]

Thanks @leadeater That helps clear up a few things for me.

 

I finally got my Router in place, and I started testing VLAN's and what they can and cannot access.

 

On the IOT VLAN (VLAN20) I'm getting a perfectly segregated VLAN with wifi devices, which can't ping devices on other VLAN's, even when that device is on the sam subnet.  So this is good.  All devices are connected to the internet, which I wanted, and they have no access to my network.  The way I have this set up is through trunking the router port on my switch for VLAN20, while VLAN1 (Default) remains Untagged.  I also tagged the port that my Wireless AP is connected to (which is setup with Separate SSID for each VLAN), and then just connecting each device to the specific SSID.  Each Device obtains an IP via DHCP, and everything works.

 

The issue I'm having is with the security VLAN (VLAN10).  I want to eliminate internet access, and I want it to live alone on it's own VLAN (adding my Security Server to it, which will have internet access via VLAN1).  So, the first way I attempted this was through removing the Router trunk on VLAN20, but I left the Wireless AP trunk enabled because I have a couple of wireless cameras.  Through doing this I found how I could easily remove or add internet access by trunking the router, but when I remove the trunk, I also remove the ability for devices to obtain IP addresses via DHCP.  So my question is how do I allow routing functionality, but remove internet access.  Is this a function of the firewall?  If so, I've tried a few things, but I have little knowledge of adding policies to the firewall.  

[scottyseng]

3 hours ago, Strikermed said:

So my question is how do I allow routing functionality, but remove internet access.  Is this a function of the firewall?  If so, I've tried a few things, but I have little knowledge of adding policies to the firewall.  

Yeah, you can remove the ability of the security VLAN to access internet via the firewall, but sadly I'm not 100% sure on how to do so. If I remember right, you have to make a group and put the security VLAN in it. Then add a new rule to the firewall that drops the packets for that group.

 

I'm still playing with my USG Pro-4 and breaking things with VLANs. This whole thread is helping me with my own network setup with VLANs. I'm also learning how subnetting works and how I locked myself out of my APs by attempting to put them in a different subnet from the controller (Fun experience for me to get them back).

[leadeater]

3 hours ago, Strikermed said:

The issue I'm having is with the security VLAN (VLAN10).  I want to eliminate internet access, and I want it to live alone on it's own VLAN (adding my Security Server to it, which will have internet access via VLAN1).  So, the first way I attempted this was through removing the Router trunk on VLAN20, but I left the Wireless AP trunk enabled because I have a couple of wireless cameras.  Through doing this I found how I could easily remove or add internet access by trunking the router, but when I remove the trunk, I also remove the ability for devices to obtain IP addresses via DHCP.  So my question is how do I allow routing functionality, but remove internet access.  Is this a function of the firewall?  If so, I've tried a few things, but I have little knowledge of adding policies to the firewall.  

You could either use firewall rules as @scottyseng said or give the DHCP server an interface on the security VLAN then added and remove the security VLAN from the router trunk port when you need to, this way DHCP will still work as that server always has an interface on the security VLAN as well as the default. Security wise this isn't as good because you have a server bridging access between a secure and non-secure VLAN/network but the security server/VM is doing that anyway and there isn't a way to avoid that without only having the VM on the security VLAN and creating more firewall rules.