10 — Management and IPMI

20 — Lab

100 — Main

<aside> 🔥 MAIN_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP allow port 445 for SMB allow ports for Windows Deployment Services allow 10.0.110.0/24 (IoT devices) allow from 10.0.100.0/24 to 10.0.100.0/24 (to make sure devices can communicate) deny 10.0.100.5 to pppoe0 (block ‣ internet access) deny 10.0.0.0/8 (rest of net)

MAIN_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP

</aside>

110 — IoT

<aside> 🔥 IOT_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (rest of net)

IOT_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP

</aside>

<aside> 🚦 QoS Limited (at router) to 250kbps up, 2mbps down

</aside>

120 — Security Cameras

<aside> 🔥 CAM_IN default drop allow estab/related drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (lans) deny 0.0.0.0/8 (internet)

CAM_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP

</aside>

<aside> 💱 NAT Rules To redirect any NTP requests to the Synology (NVR)’s NTP server.

rule 1 {
     description "redir cam ntp to syno"
     destination {
         port 123
     }
     inbound-interface switch0.120
     inside-address {
         address SYNO IP ADDR
         port 123
     }
     log disable
     protocol udp
     source {
         address 10.0.120.0/24
     }
     type destination
 }
 rule 5011 {
     description "masq for cam vlan"
     log disable
     outbound-interface switch0.120
     protocol all
     source {
         address 10.0.120.0/24
     }
     type masquerade
 }

</aside>

<aside> 🚦 Limited at AP (per device) to 50mbps up, 5mbps down

</aside>

200 — Guest

<aside> 🔥 GUEST_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (rest of net)

GUEST_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP

</aside>

250 — Trusted VPN Clients

Currently this is used for tailscale.home.tomr.network.