This seems like a remedial question, but I have looked through the configuration guides and these forums, and don't feel that I have a clear answer.
Is there a way to single out the Internet (uplink ports 1 and 2) in MX firewall rules? For example, if I have one VLAN (let's call it VLAN3) that I want to be able to access the Internet (outbound), but I want to restrict that VLAN3 from accessing any of my other local VLAN's, what is the best way to accomplish that?
My intention is to have a "Deny All" rule at the end, so all traffic that will be permitted will require explicit "allow" rules. For this specific example above, I assume that I could create an "Allow Any" rule to permit outbound access to the internet from this VLAN3. But then I would need to create another "deny" rule above that one to deny access to any of the other local VLAN's. For example: 1 Deny Any VLAN3 Any VLAN1, VLAN2, VLAN4 Any (deny access to all local VLAN's) 2 Allow Any VLAN3 Any Any Any (allow access to the internet) 3 Deny Any Any Any Any Any (default deny all)
It would be easier and less prone to error if I could simply have one rule that only allows access to the uplink ports (and nothing else). For example: 1 Allow Any VLAN3 Any [uplink ports] Any (only allow access to the internet) 2 Deny Any Any Any Any Any (default deny all)
Is this possible, or is there a better way?
My internet connections are cable and DSL modems, so nothing fancy. I tried configuring my global IP addresses from my ISP's as small VLAN's in my MX, but it didn't seem to like that. And I'm not sure how that plays with things like the automatic PAT and failover and stuff.
Rather than create rules to block access to the other specific VLANs, block access to all RFC1918 address space, of if all your VLANS are in once chunk of space (such as 192.168.x.x) block access to all of that (192.168.0.0/16) with one simple rule.
Thanks. Blocking access to all private address space is definitely more elegant than what I was thinking. It would still be better if it was possible to directly allow traffic to just the internet/uplink, but this can work.