YAMAHA RTX1210 によるVLAN構築例（事務所/来客、学校事務室/教室）など

フレッツ光 1回線を用いて、VLAN1/VLAN2を排他的にインターネットに通信させる設定例。

利用例）

事務所と来客者

学校職員室と教室など。。。

リンク

ネットワーク構成

Office: ip vlan1 address 10.255.0.1/24

Guest: ip vlan2 address 192.168.21.1/24

VLAN1とVLAN2間の通信はさせないが、VLAN2の以下のアドレスのみVLAN1から通信できるようにする。

192.168.21.2,192.168.21.3,192.168.21.11-192.168.21.18

# show config

console character en.ascii
console columns 200
console lines infinity
ip route default gateway pp 1
ip filter source-route on
ip filter directed-broadcast on
vlan port mapping lan1.1 vlan1
vlan port mapping lan1.2 vlan1
vlan port mapping lan1.3 vlan1
vlan port mapping lan1.4 vlan1
vlan port mapping lan1.5 vlan1
vlan port mapping lan1.6 vlan1
vlan port mapping lan1.7 vlan2
vlan port mapping lan1.8 vlan2
description vlan1 "Office LAN"
lan type lan1 port-based-option=divide-network
ip vlan1 address 10.255.0.1/24
ip vlan1 secure filter in 101 3000
ip vlan1 secure filter out 112 102 3000
description vlan2 "Guest LAN"
ip vlan2 address 192.168.21.1/24
ip vlan2 secure filter in 211 201 3000
ip vlan2 secure filter out 212 202 3000
url lan2 filter in 20
url lan2 filter out 20
pp select 1
 pp always-on on
 pppoe use lan2
 pp auth accept pap chap
 pp auth myname id@isp.jp password
 ppp lcp mru on 1454
 ppp ipcp ipaddress on
 ppp ipcp msext on
 ip pp mtu 1454
 ip pp secure filter in 1080 1081 1020 1021 2000
 ip pp secure filter out 1010 1011 1012 1013 1014 1015 3000 dynamic 100 101 102 103 104 105 106 107
 ip pp nat descriptor 1000
 url pp filter in 10
 url pp filter out 10
 netvolante-dns use pp server=1 auto
 netvolante-dns hostname host pp server=1 office-a.aa0.netvolante.jp
 pp enable 1
ip filter 101 reject * 192.168.21.20-192.168.21.254
ip filter 102 reject 192.168.21.0/24 *
ip filter 112 pass-log 192.168.21.2,192.168.21.3,192.168.21.11-192.168.21.18 *
ip filter 201 reject * 10.255.0.0/24
ip filter 202 reject 10.255.0.0/24 *
ip filter 211 pass-log 192.168.21.2,192.168.21.3,192.168.21.11-192.168.21.18 10.255.0.0/24
ip filter 212 pass-log 10.255.0.0/24 192.168.21.2,192.168.21.3,192.168.21.11-192.168.21.18
ip filter 1010 reject * * udp,tcp 135 *
ip filter 1011 reject * * udp,tcp * 135
ip filter 1012 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 1013 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 1014 reject * * udp,tcp 445 *
ip filter 1015 reject * * udp,tcp * 445
ip filter 1020 reject 10.255.0.0/24 *
ip filter 1021 reject 192.168.21.0/24 *
ip filter 1080 pass 管理IP_Address * * *
ip filter 1081 pass * 10.255.0.0/24,192.168.21.0/24 icmp
ip filter 2000 reject * *
ip filter 3000 pass * *
ip filter dynamic 100 * * ftp syslog=off
ip filter dynamic 101 * * www syslog=off
ip filter dynamic 102 * * domain syslog=off
ip filter dynamic 103 * * smtp syslog=off
ip filter dynamic 104 * * pop3 syslog=off
ip filter dynamic 105 * * submission syslog=off
ip filter dynamic 106 * * tcp syslog=off
ip filter dynamic 107 * * udp syslog=off
nat descriptor type 1000 masquerade
nat descriptor masquerade static 1000 1 10.255.0.1 tcp 65022=22,10088=www
syslog notice on
telnetd host vlan1
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 10.255.0.51-10.255.0.89/24
dhcp scope 2 192.168.21.101-192.168.21.199/24 expire 8:00 maxexpire 8:00
dns host any
dns server 8.8.8.8
dns private address spoof on
schedule at 1 */* 04:32 * ntpdate ntp.nict.jp
httpd host vlan1 管理IP_Address
sshd service on
sshd host key generate *
statistics cpu on
statistics memory on
statistics traffic on
statistics nat on