I have a VLAN (IOT) where everybody may talk to anybody, may talk to the internet, but not with any other VLAN and to the NAS on the same VLAN only to specific ports (e.g. to deny acces to the admin dashboard/SSH):
The BackupserverIOT is a Synolgoy NAS which is reachable under 10.168.10.100 (Static DHCP mapping, VLAN IOT ID 10) and it has an internal domain backupserver.netzkiel.lan which is taken care of by the DNS resolver.
Might be, but a connection to BackupserverIOT on port 22 should be blocked due to rule number 2. If it doesn’t the traffic will be passed due to rule number 6. So the question is, what does rule number 2 make to pass traffic to BackupserverIOT on port 22?
If your IP’s are in the same broadcast domain, you cannot block access to it. If your range is 192.168.1.0/24 then you cannot block traffic within that range on that vlan.
Haven’t been aware of that. Apparently clients can use their ARP table to communicate purely on layer-2. Make sense.
But then all rules of type X subnet to X subnet are useless. Then I do not even need a pass rule for that? I can just block private networks without allowing my own subnet?