Configuring Web Servers in VLAN, no tags, port-forwards

[trust_in_wrt]

Hello. I'm still learning how to use the pcWRT and would appreciate your thoughts on the following approach.  

I would like to create a VLAN, called X3, that I can use for web servers such as a website, FTP, SSH, etc.  

In the pcWRT Network page, I've set up the ports as follows:
   __________________________________________
   | Port   |   1   |   2   |   3   |   4   |
   __________________________________________
   | Tagged |  No   |  No   |  No   |  No   |
   __________________________________________
   | Net    |  LAN  |  LAN  |  X3   |  X3   |
   __________________________________________

To allow traffic from the web to the X3 VLAN and to protect my regular LAN from receiving any traffic initiated from the X3 VLAN, I've set up the pcWRT VLAN config-table as follows:

                      D e s t i n a t i o n
    _________________________________________________
    |       |  LAN  | Guest |  X1   |  X2   |  X3   |
    _________________________________________________
    |  LAN  |  Yes  |       |       |       |  Yes  |
S   _________________________________________________
o   | Guest |       |       |       |       |       |
u   _________________________________________________
r   |  X1   |       |       |       |       |       |
c   _________________________________________________
e   |  X2   |       |       |       |       |       |
    _________________________________________________
    |  X3   |       |       |       |       |  Yes  |
    _________________________________________________

Where 'Yes' represents a checkmark.

Here is what I'm planning for my network:

Cable 
Modem
  |
  |      pcWRT 
  |      Router
  |        |     
  |________|WAN port
           |         
           |__port1 (to Switch A on LAN)
           |              | 
           |              |__ Device A1
           |              |__ Device A2   
           |                      
	   |__port2 (to device on LAN)
           |
           |__port3 (configured as vlan X3, no tag)
           |               |
           |               |__ Server S1
           |
           |
           |__port4 (configured as vlan X3, no tag)
                           |
                         Switch B (not vlan-aware)
                           |
                           |__ Server S2
                           |__ Server S3

I will forward ports (20,21,22,80, etc) associated with my web servers from WAN to the private IP address of the servers: S1, S2, and S3.  (I've reserved these addresses in pcWRT "Hostnames and Static Leases".)

So my questions are the following:

1. Will the forwarded ports ONLY be able to send web traffic to S1, S2, and S3 on VLAN X3?  

2. Will calls initiated by the servers in the X3 VLAN to my LAN devices be blocked?

3. Will I be able to initiate calls from my LAN to the web servers' private addresses on X3?

4. Is it okay NOT to tag the VLAN ports in the pcWRT Network page (since I'm not configuring VLAN tags on the servers in X3)?

5. Is the above approach reasonable, or have I missed anything?  (I am also using a firewall in each server for added security, though I believe that is not needed, if the router is set up correctly.)

Thanks!

• This topic was modified 1 year, 11 months ago by trust_in_wrt. Reason: Minor improvements to phrasing

[support]

1. Yes, port forwarding will send traffic only to the destination IP address.
2. Yes.
3. Yes.
4. There’s no need to tag the ports
5. Yes, it’s reasonable.

[trust_in_wrt]

Thanks for the quick review @support. Much appreciated.

[Author]

Posts