The Vigor3900 and Vigor 2960 support having multiple subnets within one VLAN profile. This allows Network Administrators to separate LAN hosts into different IP subnets without setting up either tag-based or port-based VLANs. However, traffic between these subnets will pass by default. To prevent that, it can be done using firewall rules.
Firstly, to create other subnets in a LAN profile:
1. Go to LAN >> General Setup, and click Edit to configure the LAN profile.
2. Click Add in the More Subnet field
a. Specify the router’s IP in this subnet in the IP field
b. Select Mask of the subnet in the Subnet Mask field
c. Select ‘NAT’ for Mode
d. Disable DHCP if there is another DHCP server in the LAN profile
e. Modify the DHCP start IP and End IP as necessary if DHCP is enabled
f. Click Apply to save
In this example, hosts will obtain IP addresses in 192.168.1.0/24 subnet using DHCP, or they can be manually configured with static IPs in 192.168.3.0/24 subnet.
Block hosts from accessing each other
Assume there are two LAN hosts, and their IP addresses are 192.168.1.10 and 192.168.3.3. They can access each other by default, which can be verified by using ping command.
To block the traffic between them, we will need to configure firewall rules. To set up a firewall rule:
1. Go to Objects Setting >> IP Object, and add two IP objects, one for the 192.168.1.0/24 subnet, and the other for the 192.168.3.0/24 subnet.
a. Give the profile a name
b. Select “Subnet” for Address Type
c. Type the first IP in the range at Start IP Address
d. Specify the Subnet Mask
e. Click Apply to save
2. Go to Firewall >> Filter Setup >> IP Filter. Click Add to create a group, then click Add in the Group tab to create two firewall rules:
a. Give the profile a name and enable it
b. Select ‘Block’ for Action
c. Select the first subnet in Source IP Object and the second subnet for Destination IP Object, For the second rule, the Source IP Object should be the second subnet, and Destination IP Object should be the first subnet.
d. Click Apply to save
After finishing the configuration, the firewall setting should be as follows.
Now, we can use ping to verify the Firewall configuration.