One of the reasons that the WannaCry and Petya ransomware were able to cause a global pandemic, was its ability to spread across an internal network, by exploiting a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol.

It is therefore always a good idea to confine unverified devices in a guest VLAN, and to prevent them access the internal corporate network.

Say we have 3x VLANs:

  • 192.168.10.0/24 for Sales
  • 192.168.20.0/24 for Engineering
  • 10.1.1.0/24 for Guest

Both Sales and Engineering are internal corporate networks. They are to have access to the internet as well as to have access to each other’s network.

The Guest network is however to provide internet access to guest and other unverified network devices. This network should not have access to any other computer, server or host, on the Sales and Engineering networks.

There are a couple of ways to do it.

Outbound Policy

Outbound Policy features 7 advance algorithms. It allows for a mix and match of different polices using different algorithms for any routing needs.

It however applies to traffic going from VLAN to WAN. It does not apply to traffic between VLANs.

So Outbound Policy is not what we are looking for.

Inter-VLAN Routing

If these 3x VLANs are managed by your Peplink Balance or Pepwave MAX, then you can confine a particular VLAN, by simply unchecking its Inter-VLAN Routing option.

The easiest way to see if your VLANs are managed by your Peplink Balance or Pepwave MAX is to go to its web admin page, and look under Network > LAN > Network Settings. If you see your VLANs listed, then you can click on a particular VLAN and uncheck its Inter-VLAN Routing option to disallow routing to and from this VLAN.

Network Settings on Peplink web admin page

Network Settings and VLAN on Peplink web admin page

If however you do not see your VLANs listed, this means they are managed by an external switch in the LAN. Internal Network Firewall Rules should then be used to disable inter-VLAN routing.

Internal Network Firewall Rules

Internal Network Firewall Rules are under Network > Firewall > Access Rules on the web admin page of your Peplink Balance or Pepwave MAX.

To disable routing from the Guest VLAN to the Sales and the Engineering VLAN, and vice versa. You will need 4x Internal Network Firewall Rules:

Internal Network Firewall Rules on Peplink web admin page

Internal Network Firewall Rules and deny traffic from Guest to Sales on Peplink web admin page

Internal Network Firewall Rules also have some added advantages.

  1. Rules can be specified per host by IP or MAC address.
  2. Rules can be specified per protocol and port.
  3. Event logging can be enabled.

And this is it. This is how to secure your VLANs.

An End Note

Of course this is just to stop the infection from spreading across your organisation like wildfire. It is of paramount importance to always keep your network hosts on the latest security update, and to have a dedicated Unified Threat Management (UTM) or Unified Security Management (USM) solution to hold the gate.


Tell me more about Peplink