Hi All,
I want to segregate vlan 90 from the rest of my network so it can't access any private addresses except 1 which is 192.168.45.1. This vlan will be use for payments so it needs to be PCI compliant and that address is the payment server.
I also want to run a DHCP server so that handheld payment devices can be assigned addresses dynamically.
With the config I've applied which I'll paste below, DHCP works fine however I'm able to ping other private subnets at other sites when I source traffic from the gateway:
E.g. I'm able to get a response from 192.168.46.254, 10.128.22.254 etc.. when sourcing from 10.128.92.254
Here is my relevant config:
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 unit 90 vlan-id 90
set interfaces fe-0/0/1 unit 90 family inet filter input REJECT_RFC1918_IN
set interfaces fe-0/0/1 unit 90 family inet filter output REJECT_RFC1918_OUT
set interfaces fe-0/0/1 unit 90 family inet address 10.128.92.254/24
set policy-options prefix-list RFC_1918 10.0.0.0/8
set policy-options prefix-list RFC_1918 172.16.0.0/12
set policy-options prefix-list RFC_1918 192.168.0.0/16
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from protocol udp
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 67
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP from port 68
set firewall family inet filter REJECT_RFC1918_IN term allow-UDP then accept
set firewall family inet filter REJECT_RFC1918_IN term allow-specific from destination-address 192.168.45.1/32
set firewall family inet filter REJECT_RFC1918_IN term allow-specific then accept
set firewall family inet filter REJECT_RFC1918_IN term deny from destination-prefix-list RFC_1918
set firewall family inet filter REJECT_RFC1918_IN term deny then discard
set firewall family inet filter REJECT_RFC1918_IN term allow then accept
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from protocol udp
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 67
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP from port 68
set firewall family inet filter REJECT_RFC1918_OUT term allow-UDP then accept
set firewall family inet filter REJECT_RFC1918_OUT term allow-specific from source-address 192.168.45.1/32
set firewall family inet filter REJECT_RFC1918_OUT term allow-specific then accept
set firewall family inet filter REJECT_RFC1918_OUT term deny from source-prefix-list RFC_1918
set firewall family inet filter REJECT_RFC1918_OUT term deny then discard
set firewall family inet filter REJECT_RFC1918_OUT term allow then accept
Please kindly advise if I've done the firewall filter wrong.
Thanks a bunch!