How to allow established connections across LANs for IoT devices

Hi,

please post your rules because your request is not clear.

Rules need to be from a source to a destination with services.

Ian

rfcat_vk said:

Hi,

please post your rules because your request is not clear.

Rules need to be from a source to a destination with services.

Ian

That is kind of my problem. I don’t know how to set the rule up. I do not want VLAN IoT talking/connecting to LAN. However, if LAN starts the connection (casting to my chrome cast which is on VLAN IoT from my tablet which is on LAN) then I want the connection to go through. In Ubiquiti UniFi it is called “established” connection.

First, Since your a Home User, I recommend you to update to v18.

 

You can do the same thing with a "Accept" rule on Sophos XG.

Here's an example:

(Ignore the "Match Known Users")

In this example any user inside the "Wired LAN" and "WiFi LAN" will be able to establish a connection over any service to the IoT LAN.

And since there's no rule for the "IoT LAN" to directly "accept" traffic to the "Wired or WiFi" LAN", that traffic will be block by the default drop rule.

 

This means anyone inside the "IoT LAN" won't be able to directly establish a connection to the both Wired and WiFi LAN's (Such as Ping.), At the same time, anyone on the Wired or WiFi LAN will be able to establish a connection to anyone at "IoT LAN", and the IoT LAN device will be able to respond back.

 

Thanks!

I don't think his chromcast will work over the VLAN to LAN rules from previous discussions on the subject.

Ian

Prism said:

In this example any user inside the "Wired LAN" and "WiFi LAN" will be able to establish a connection over any service to the IoT LAN.

And since there's no rule for the "IoT LAN" to directly "accept" traffic to the "Wired or WiFi" LAN", that traffic will be block by the default drop rule.

 

This means anyone inside the "IoT LAN" won't be able to directly establish a connection to the both Wired and WiFi LAN's (Such as Ping.), At the same time, anyone on the Wired or WiFi LAN will be able to establish a connection to anyone at "IoT LAN", and the IoT LAN device will be able to respond back.

 

Thanks!

Thank you! I never thought of it like that! I will try this when I get home. I will update also tonight, I just got the core of everything setup today and this is more or less my lab. I am switching to this at home to get more familiar with it as we are using XG firewalls at my work and have 9 locations using them. I’d rather break my home network than work trying to learn it. I will mark this as answered if this works. Thanks again!

Prism said:

In this example any user inside the "Wired LAN" and "WiFi LAN" will be able to establish a connection over any service to the IoT LAN.

And since there's no rule for the "IoT LAN" to directly "accept" traffic to the "Wired or WiFi" LAN", that traffic will be block by the default drop rule.

 

This means anyone inside the "IoT LAN" won't be able to directly establish a connection to the both Wired and WiFi LAN's (Such as Ping.), At the same time, anyone on the Wired or WiFi LAN will be able to establish a connection to anyone at "IoT LAN", and the IoT LAN device will be able to respond back.

 

Thanks!

Thank you! I never thought of it like that! I will try this when I get home. I will update also tonight, I just got the core of everything setup today and this is more or less my lab. I am switching to this at home to get more familiar with it as we are using XG firewalls at my work and have 9 locations using them. I’d rather break my home network than work trying to learn it. I will mark this as answered if this works. Thanks again!