Inter-VLAN Firewall Policy¶
Status: Documented. Owner to apply on UDM SE. Security register: Closes SEC-002.
Design Principles¶
- Default deny between all VLANs
- Named exceptions for legitimate cross-VLAN traffic
- Management VLAN has unrestricted access (admin plane)
- IoT and Security VLANs are fully isolated (no initiated outbound to other VLANs)
- Servers VLAN accepts inbound from trusted VLANs only
Rule Set¶
Rules are applied on the UDM SE under Settings > Firewall & Security > Firewall Rules. Rules are evaluated top-to-bottom; first match wins.
LAN-In Rules (applied per VLAN interface)¶
| # | Name | Source | Destination | Action | Notes |
|---|---|---|---|---|---|
| 1 | Allow Management to all | VLAN 10 (192.168.10.0/24) | Any | ALLOW | Admin plane — full access |
| 2 | Allow Personal to Servers | VLAN 2 (192.168.3.0/24) | VLAN 4 (192.168.6.0/24) | ALLOW | Trusted devices access services |
| 3 | Allow GenPop to Servers | VLAN 1 (192.168.1.0/24) | VLAN 4 (192.168.6.0/24) | ALLOW | Household access to services |
| 4 | Allow Security to NVR | VLAN 6 (192.168.8.0/24) | 192.168.6.215 (Whrrr NVR) | ALLOW | Cameras write to Synology NVR |
| 5 | Deny IoT to all VLANs | VLAN 5 (192.168.7.0/24) | RFC1918 | DROP | IoT isolation — internet only |
| 6 | Deny Security to all VLANs | VLAN 6 (192.168.8.0/24) | RFC1918 | DROP | Camera isolation (except rule 4) |
| 7 | Default inter-VLAN deny | Any RFC1918 | Any RFC1918 | DROP | Catch-all between VLANs |
Notes¶
- Rule 3 (GenPop to Servers): This is permissive. If tighter control is desired later, restrict to specific ports (80, 443, 32400 for Plex, etc.).
- Rule 4 (Security to NVR): Cameras need to reach the Synology NVR
(
192.168.6.215) for recording. Restrict to the NVR's IP only, not the full Servers VLAN. - Rule 5 (IoT deny): IoT devices can still reach the internet. They cannot initiate connections to any other VLAN.
- Rule 7 (Default deny): This is the safety net. Any inter-VLAN traffic not explicitly allowed above is dropped.
UDM Configuration Steps¶
- Navigate to Settings > Firewall & Security > Firewall Rules
- Create a new rule group called "Inter-VLAN Policy"
- Add rules in the order listed above
- For RFC1918 destinations, create a firewall group containing:
10.0.0.0/8172.16.0.0/12192.168.0.0/16- Test by verifying:
- A device on GenPop can reach
192.168.6.17(infra-services) - A device on IoT CANNOT reach
192.168.6.17 - A camera on Security CAN reach
192.168.6.215(NVR) - A camera on Security CANNOT reach
192.168.6.17
Rollback¶
If the rules cause issues, disable the "Inter-VLAN Policy" rule group in the UDM UI. This restores the previous allow-all behavior.