ACL just for internet, and nothing else

FuturaFutura Member Posts: 191
So I want to make a vlan just for guest users to access the internet that goes out through a shared gateway. I dont want these users to be able to access anything on the LAN,

I was thinking

something like

permit tcp any any eq 80

but if I have any web servers on my network then the guests will be able to access them!.

Any thoughts how I can just allow internet access but strictly nothing else?

Thank you:):)


  • networker050184networker050184 Mod Posts: 11,962 Mod
    You can just deny access to any internal subnets. For example you use 192.168/16 on your internal network then you just deny access to that and permit anything else. You will need to punch holes if there are some internal stuff they need to access.
    An expert is a man who has made all the mistakes which can be made.
  • FuturaFutura Member Posts: 191
    superb, So I could

    deny tcp any eq www
    deny tcp any eq www
    permit tcp any any eq www

  • networker050184networker050184 Mod Posts: 11,962 Mod
    I wouldn't even worry about the eq www part personally. Then you will get bugged often to let stuff like https, ftp, vpn protocols etc through. Just make sure they have no IP connectivity to your stuff and let the rest go.
    An expert is a man who has made all the mistakes which can be made.
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    A few ideas--

    You could block all traffic (on the ingress) destined for your external LAN IPs
    You could block all traffic (on the egress) sourced from the guest LAN IPs
    Use PBR to forward all packets from the guest LAN towards the Internet
  • drkatdrkat Banned Posts: 703
    so on the guest vlan you apply an acl denying traffic to your internal subnets and permit everything else
  • MickQMickQ Member Posts: 628 ■■■■□□□□□□
    You might want to deny ip rather than just tcp traffic. I'm sure you don't want UDP being able to get past ;)
  • Michael2Michael2 Member Posts: 305
    Why not just create an ACL that would block all inbound traffic and place it on the gateways to your internal LAN with the guest terminals on the other side? Why create a VLAN?
  • drkatdrkat Banned Posts: 703
    Michael, given that theory how would you define the difference between guest and employee?
  • Michael2Michael2 Member Posts: 305
    Oh, so I need a VLAN to differentiate between guests and employees. I thought you could just implement a User Access Control policy, but I guess I need to go out and get network switches and set up a whole VLAN to keep guest users from accessing the internal network.
  • drkatdrkat Banned Posts: 703
    You dont NEED to do anything. Every network is a unique snowflake. You will want to look at your network and determine how the guests are going to be accessing the network and then determine the best access control for the job. Given the OP's original post utilizing a vlan method - maybe they dont have any type of authentication policy in place or maybe they have guest pods that only guests can use?? the possibilities are endless.

    However I sense your response as much sarcastic as it is arrogant. Only the OP and in this case YOU would know how your network is configured and best practice for that scenario.

    From this scenario he is using a SHARED gateway so both networks will have equal access to it. So sure.. he can write an ACL that is egress on his internal subnet interface to not allow access from the guest subnet.. this would be his best option. It really depends how he is setup and since we dont have any configuration it's all hear-say at this point.
Sign In or Register to comment.