I'm not sure where the comment went, or if it got deleted, but someone mentioned I should have explained the difference between WAN_LOCAL and WAN_IN a bit more in-depth. I think it was a valid comment and good constructive criticism and I probably didn't touch on it as much as I should have in the video. If anybody noticed, there are two "default" rule lists that are created. WAN_IN and WAN_LOCAL. WAN_IN is for anything coming from the internet, and ENTERING your local network. This means that it is passing THROUGH the router and hitting a host somewhere "inside" the network. If you were dealing with rules destined for a DNS server, (PLEX would be another example) this would be something blocked and/or allowed by the WAN_IN rule list since the traffic has to pass through the router in order to reach the destination host. WAN_LOCAL, on the other hand, is anything coming from the internet and is destined for the ROUTER ITSELF. Therefore, DNS forwarding, DHCP, SSH, Web interface, etc... will all be allowed/blocked by the WAN_LOCAL rule list. If it is something you would access directly on the router itself, then the WAN_LOCAL list is where you would allow or deny it. Also, this ruleset assumes it is coming from the public internet and is destined for the public interface of the router. I.e. it will not block traffic coming from the internal network to the internal IP of the router. Hopefully, this makes sense and I apologize if I didn't cover it enough in the video.

These ER videos are so helpful. Please don't ever delete these -- or I'll be screwed if I ever need to re-configure my setup! Much appreciated.

Fantastic video. Just got an ER-X, and your vids have been invaluable! Thank you so much for taking the time to educate us in a clear, concise, easy-to-follow way. Much appreciated.

Commented on your last video on how I can have my "admin" PC, talk to my Pi servers on a different VLAN....dont comment back lol...this video answered it

This is great. I've just set up a guest and an IOT VLAN firewall rule set and had it work by watching this video. Previous attempt I bricked my Edgerouter and had to reset it. Next trick...I want to be able to have a device on the IOT or guest network access a home network server on a static IP and port. If your servers are on the 192.168.100 network, you still might want them to be able to do specific protocols and IP's to the IOT network initiated from either direction.

Very nice explanation on how to setup firewall rules between VLANS on EdgeRouter. Your demonstration clarified a lot of confusion I had after reading the EdgeOS manual. Thanks for the nice video.

this was very helpful thank you very much. Watching it after the other one on creating vlans (except I don't have a cisco switch) was just what I needed. After setting the vlans up, I was really confused that I could ping across vlans. I thought I was done, and you weren't supposed to be able to do that, and I just hadn't done something right! Then I watched this video, implemented the rules that are right for my vlans, and I think I'm good now. 🤞

This video has been very helpful. Just one major point which caused me hours of frustration (thanks MS-Windows). The Windows 10 Firewall issue noted around the 7:45 mark is a big issue...initially I had Windows-10-Firewall enabled on all PC's in different subnets, and the ER4 Firewall Rules did not help because Windows-Firewall blocks outside subnets.

@ToastyAnswers Thanks for this video Mr. Toasty! I do appreciate it! I have an EdgeRouter but it is an ER-8 not an X. I have a question if you don't mind.😁 Q: At 4:39 in the video you are applying an interface for the Guest Ruleset. My question here is if I had more than one network (vlan) that I wanted treated this way, say Guest1 and Guest2, could I add the second Guest network interface here without it allowing traffic between Guest1 and Guest2? Or do I have to make another rule of some kind? My use case is that I have a number of networks that need to be isolated from each other except my "home" network needs to access them without the "Guests" being able to access my home, as you describe here. Thank you so much, any comments appreciated!🙂

Thank you so much. Very informative and useful. You have helped me resolve my FW rules issue. Thank you once again,

Great tutorial worked out for me.

Vere, very good and helpfull

newbie here....i set up a similar config to separate LANS on the router as I'm not using vLANs but noticed that my guest LAN could still reached the GUI on the non-guest LAN listening port. So I added a rule on the guest LAN to block local as well and that seemed to solve my issue. Does that sound right?

great job

Thanks so much for this video! Loving the ER. If using a Unifi AP, do the firewall rules also need to be added to the Unifi Network controller, or is that overkill/a potential source of problems?

Just watched this great video, I just bought this equipment for home use and was wandering if these same firewall rules would work on lans setup on the other ports of the edge router to avoid using a managed switch, say if home was on eth2, Iot on eth1 and Gest on eth 4.... If so where could I find help setting up the edge router that way ?

Can't tell you how grateful I am for your tutorial here. I've been totally lost in how to setup a VLAN. I have at least 40 IOT Devices on my home LAN with no isolation between my personal workstations, laptops, cell phones, etc. Information I find or asked for help on how to isolate my IOT Devices yet still have access to them was sketchy and over my head. I do have an inexpensive TP-Link TL-SG108E (never used) that says it supports Vlan. But not sure as I was overwhelmed at starting something I knew very little about. Maybe that's with a try first? And I can always get the Ubiquity. Any suggestions or thoughts very much appreciated. Thanks again for your great tutorial.

hi one more question how to create a list of allowed ips and block everything else, i want to create a white list of ips for browsing.

Excellent video, it helped fill in some holes in my networking knowledge. My background is virtualization and storage, not networking. I have my firewall configured very similar to what you have in this video. I would like to create access to one specific IP address on a VLAN that is blocking all internal traffic. How would I go about that?

@ToastyAnswers After having setup the firewall rules as described in your video, it seems that NAT loopback (hairpin NAT) isn't working anymore. It seems to be related to the 'home' rule. As soon as I remove the interface from that rule, I'm able to access my webserver again from wihtin my home network. How can I make it to work with that rule enabled?

Hi Toasty, That was a great video! I was wondering if you were planning on doing a follow-up on this video with QoS with focus on multiple VLAN + Guest VLAN. Optimizing the network to favor certain subnets and then having the router favor certain packets, limiting the VLAN wich has the Server on there so it won't eat up all of my upload when someone downloads something off of my NextCloud, or reserving some upload/download for myself so my gaming won't be bothered….

Thanks! Everythink works! But i have one question: What rules i need to add if i want ping from the "switch0" to a vlan? This tutorial is made for pings vlan to vlan.. but in my case i need access a vlan from the "switch0 interface".. Thanks

Hi Ian: I’m wanting to setup 3 maybe 4 VLANs. Here is the issue I’m not sure about. I have a Cisco Router SV260W default gateway of 192.168.123.254. I have an Ubuntu Webserver static on 192.168.123.104. I am forwarding ports 8083 and 8080 to that address as well for the Server. So would like to leave that setup alone if possible. I have the following Ubiquiti equipment. 24 port POE switch, an 8 port 60 watt switch, 4 of the 5 port mini flex switches. I’m wanting the following VLANs. One for IoT, one for guest wifi access and one for my main LAN like doing my video editing. I also have a cloud key gen. 2. Do I have to set the VLANs in the Cisco router and the the 24 port switch. I even thought of changing over to an Edgerouter X even. So looking for some ideas on implimenting.

Hi Toasty! Thanks for the awesome videos! Learning a lot on this channel. QQ: ON your previous VLAN setup video, you set up a "test" VLAN just in case if you lost connection to both the EdgeRouter and the Cisco Switch. Was that a temporary set up or is it still part of the configuration? if it's part of the config, would you need to setup firewall rules for that as well?- Thanks!

Great video, but how to block the access of the IOT and Visitors vlans towards the Router's IP?

Hey can you please explain how to, using the GUI, Block all internet traffic at a certain time on the EX-R using the current firmware, the options are a little different then what is shown in the video. tnx

Hello, Wonder if you think it is a firewall issue that a new Edgerouter is connecting with PPPoE and all devices are online but the vonage adapter will not connect anymore when it did not need any special setup on the old netgear X10 router, same with the UniFi controller software running on my machine, the UAP-AC-PRO is no longer found but is online as all wireless devices are connecting just fine. thx for any feedback. or a video idea for users looking to move into the Ubitquity universe.

Question. If your switch.0 address is 192.169.5.1, that is your default LAN, do you have to add it to the PVID for the vlan aware or will it just act as the default vlan ID to connect to your downstream switch? So just add say vlans 10,55,100 and don't list the PVID?

How about when I'm using my ERL 3 as my dual wan router in front of my Orbi router? Can these firewalls be used where the ERL is just the dual wan gateway?

Instead of creating a vlan 10 for your home, can you use the switch 0 instead ?

Your setup is exactly what I want to do with my Edgerouter POE 5 but can this be done with just my edgerouter poe 5 without a switch? Also will this vlan setup work through my nano hd ap? Thanks for the informative videos...

Do you need to add rules to allow for DHCP and DNS to work ?

Can you do a video on setting up firewall rules on an edge router to prevent pi-hole bypassing?

I just did this to my mom's network... Not sure why, but the GUI/SSH servers are available on all gateways and all lans have access to all the gateway IP's - possible bug in EdgeOS 2.0.9 (hotfix 7), but then again, it could be a possible bug in my access point (Archer C7 v4 with OpenWRT 23.05.3 - that was hard getting VAN's up and going on & wouldn't surprise me if it's causing a few routing bugs) or switches (three Sodola Networks 9-port managed switches). But the actual device isolation between VLAN's is working perfectly, so there is that going. 🙂

I think DNS its not goint to work for the guest and the iot network. Probably the vlan interfaces needs to be added on the dns settings

can you please do a video of port forwarding with this setup

Awesome! My Edgerouter X is (hopefully) going to arrive tomorrow and this is exactly what I needed to know. Well besides figuring out how I can add vlan tags to individual clients on my wifi ap (hostapd on raspi) and maybe my containers.

where did you get switch 100?

those vlan\s (subnet) should not be able to ping each ., unless it's a layer 3 switch

I did "set service gui listen-address 192.168.xx.1", but can still access login screen rom any VLAN

Soooo I set the listen address and now I cannot access it from any address... Is there a way to fix that or am I SOL?

How do I portforward to a webserver or minecraftserver or anything

BLOCK SSH using the firewall would do