Management network on a UDR7

[Ted47]

Does anyone have this configured on a UDR7?
I implemented several vlans (guest, home, work, print, management and there is also the default network).
How do I exclude access from all these lans.
I tried a firewall rule blocking access to the default ip adress 192.168.1.1 from the various vlans (except the management vlan), but it seems that the controller software of UDR7 remains accesable from all vlans.
Does anyone has a recommendation of what to configure to avoid this.
Important, I am running the latest version of the controller and firewall interface (simplified).
It is a little bit surprising that this is so hard to configure, since it is almost the most essential setting when working with various vlans.

 

[dbw]

Imho are you creating too much vlans. All the traffic between them will be handeld by udr 7 processor.

 

[Ted47]

In what sense does your remark has something to do with my question? I understand that there are limitations in the UDR7 as far as capacity concerned. However, since there will be very limited users and very limited internet speed needed, this is not a problem. The seperation of vlans is purely for security reasons, I do not want my profesional work mixed with home users, guest users, etc. SO I want to introduce a managment lan that keeps the setup of the controller software away from them

 

[ACteZ]

Hi @Ted47. I assume the default vlan is on 192.168.1.0/24,
All other vlans have different IP ranges. The UDR has interfaces in alle vlans, and also IP adresses in all vlans. The UDR7 can be reached through all of these IP's. So blocking just 192.168.1.1 isn't enough. On the other hand, blocking all UDR7 IP's from all networks isn't preferred either.
In the zone based firewall functionality there's aan specific zone voor de UDR7 called GATEWAY. Blocking traffic form all untrusted networks to the gateway on port 22, 80 and 443 should be enough

 

[Ted47]

Hi @Ted47. I assume the default vlan is on 192.168.1.0/24,
All other vlans have different IP ranges. The UDR has interfaces in alle vlans, and also IP adresses in all vlans. The UDR7 can be reached through all of these IP's. So blocking just 192.168.1.1 isn't enough. On the other hand, blocking all UDR7 IP's from all networks isn't preferred either.
In the zone based firewall functionality there's aan specific zone voor de UDR7 called GATEWAY. Blocking traffic form all untrusted networks to the gateway on port 22, 80 and 443 should be enough

hi, i implemented this (although i block all ports, because i want the network stricktly seperated). As a result, the interface is indeed not reachable anymore except for the management vlan, however, no the other vlans do no longer have access to the internet....:
- is that because I block all ports
- another reason, setting or additional policy I have to implement. I want some of the other vlans to have full internet access but NO access to the controller software of de UDR7

 

[Ted47]

hi, i implemented this (although i block all ports, because i want the network stricktly seperated). As a result, the interface is indeed not reachable anymore except for the management vlan, however, no the other vlans do no longer have access to the internet....:
- is that because I block all ports
- another reason, setting or additional policy I have to implement. I want some of the other vlans to have full internet access but NO access to the controller software of de UDR71

this is a fresh install so besides the management lan and the default lan, nothing is yet configured, except for the above. If I run a laptop on vlan199, it can reach the controller and the internet, if i connect it to the default vlan1, i cannot reach the controller (good) and also not the internet (not good )

 

[ACteZ]

So when you're on the default vlan, Internet is unreachable. How do you test? When addressing domainn names you need a system that converts names to IP adressess. In most situstions, the gateway provides that service. When all traffic to the gateway is blocked, access to Internet is crippled. This is just one example of the services the gateway is providing to the network for smooth operation