I’ve set up firewall rules on my Ubiquiti Dream Machine SE to drop Inter-VLAN traffic between all VLANs. I did this using the standard DROP RFC1918 to RFC1918 rule.
Devices in my Home VLAN have addresses in the 192.168.10.0 subnet.
Devices in my PublicServer VLAN have addresses in the 10.0.1.0 subnet.
All traffic from the PublicServer VLAN goes through a single switch port which tags all traffic as PublicServer VLAN traffic. It’s not a trunk port.
Theoretically, would a device on the PublicServer VLAN (going through the dedicated switch port) be able to “spoof” its IP Address as a 192.168.10.0 address so its traffic would be tagged as the PublicServer VLAN but with a 192.168.10.0 IP Address? Or is UniFi smart enough to say “hey, this is coming from a 192.168.10.0 address when I expect a 10.0.1.0 address for the PublicServer VLAN” and then drop the traffic?
I’m curious if this sort of spoofing is possible because, if it is, I don’t think the DROP RFC1918 to RFC1918 is going to be effective in truly isolating the VLANs in the event someone has compromised the server device in the PublicServer VLAN.