UniFi VLANs and IP Address Spoofing

I’ve set up firewall rules on my Ubiquiti Dream Machine SE to drop Inter-VLAN traffic between all VLANs. I did this using the standard DROP RFC1918 to RFC1918 rule.

Devices in my Home VLAN have addresses in the 192.168.10.0 subnet.

Devices in my PublicServer VLAN have addresses in the 10.0.1.0 subnet.

All traffic from the PublicServer VLAN goes through a single switch port which tags all traffic as PublicServer VLAN traffic. It’s not a trunk port.

Theoretically, would a device on the PublicServer VLAN (going through the dedicated switch port) be able to “spoof” its IP Address as a 192.168.10.0 address so its traffic would be tagged as the PublicServer VLAN but with a 192.168.10.0 IP Address? Or is UniFi smart enough to say “hey, this is coming from a 192.168.10.0 address when I expect a 10.0.1.0 address for the PublicServer VLAN” and then drop the traffic?

I’m curious if this sort of spoofing is possible because, if it is, I don’t think the DROP RFC1918 to RFC1918 is going to be effective in truly isolating the VLANs in the event someone has compromised the server device in the PublicServer VLAN.

The IP range of each subnet with each physical netork or VLAN restricts traffic at the gateway to that address range. Any devices that are outside of the range of a subnet will not work.

1 Like

Excellent. Thank you for the confirmation!