Skip to main content

Who can use this Feature?

  • Partner
  • Company/Network Admins with Write access
  • Meter Support

Inter-VLAN Communication

Inter-VLAN communication can be enabled or disabled under the Network-wide > VLANs section of the Dashboard.

Rules

To block certain communications between VLANs after enabling inter-VLAN routing, or to only allow communication between certain hosts and/or certain port numbers, navigate to Firewall > ACLs > Rules. This is where more granular rules can be created. To create a rule click the ‘Add ACL rule’ button. This will expand a new window in the Dashboard on the right-hand side with the following options:
  • Enabled - Toggle ON to enable the rule. Toggle OFF to disable the rule.
  • Name - The display name of the rule. Name it something meaningful to you.
  • Description - Describe what the rule does if needed.
  • VLANs - Select which VLANs the rule should apply to.
  • Action - Choose to Deny or Allow the traffic.
  • Protocols - TCP, UDP, or ICMP can be selected. Choose the protocol types required for your rule.
  • Source - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, an entire VLAN, or a WAN interface. Port numbers can also be specified.
  • Destination - Select where the traffic would be originating from for your rule. This can be a single host, multiple hosts, or an entire VLAN. Port numbers can also be specified.
As an example -Let’s say we enabled inter-VLAN routing between the guest and private network so guests can airplay to devices on the private network. However - there is a host on the private network (10.103.0.20) that we need to ensure no user on the guest network can access. This rule would look like this:
ACL rule configuration example
This rule (applied to the guest VLAN) blocks access from the entire guest VLAN to the particular host (10.103.0.20 on the private VLAN). Once created, your rule will display on the list in the center of the page:
Firewall rules list

Creating WAN ACL rules for Port Forwards

A use case for WAN ACLS is if port forwards are used. It is a good idea to create ACLs to lock down the port forward, if possible. This ensures that only certain remote hosts can access internal resources via the port forward. Looking at this port forward for SSH access as an example:
Port forward configuration example
Let’s say that only the IT admin’s home IP address should be able to access this server via SSH with the port forward. The IT admin’s home IP address is 32.65.33.8. The required rules would look like the following:
WAN ACL rules configuration
This set of rules allows the IT admin’s IP address to begin the SSH connection using port 2222 and drops packets from any other IP with the destination port of 2222. With this, the port forward can ONLY be applied to 32.65.33.8. It is important to note that since these ACLs apply to a WAN port, a private IP should almost never be used (the rule would never likely be matched if one is used).

How to read the Firewall Rules List

Rules are matched to network traffic as it ingresses to the Meter Security Appliance. This means rules should be applied to the VLAN where the ingress traffic is expected to be on. Using the same example above - the deny to block Guest VLAN traffic to 10.103.0.20 is applied to the Guest VLAN. This is because packets that can match this rule would ingress from the Guest VLAN. Along those lines - it is important to note that the Firewall on the Meter Security Appliance is considered a stateless firewall. This means that rules are read in order. The first one that matches the traffic will be applied. There are also default rules that are created by enabling Inter-VLAN routing or DNS Security. To view the rules toggle the ‘Show default rules’ toggle to ON. Let’s take a look at default rules from the same example above:
Default firewall rules display
Rules created in the ‘Rules’ tab are always read first, followed by rules created by Inter-VLAN routing, and then any other default rules. With this list expanded - you can see the Deny rule we created to block traffic from the guest network to 10.103.0.20 would be read first, blocking this traffic before reaching the Allow rule. User-created rules can be re-ordered by using the up and down arrows next to the rule:
Firewall rules reordering
If you have any questions about ACL Rules or need further assistance, feel free to contact Meter Support at support@meter.com or submit a ticket at meter.com/support.
I