Note: This firewall strategy is no longer in production and is published here as a portfolio example of network security work.

Firewall & VLAN Rules

Small Business

Companion to PCI-Compliant Network Roadmap

Design rationale: VoIP phones and printers get their own VLANs instead of sharing with desktops. A compromised printer or phone cannot reach workstations directly. Targeted firewall rules let desktops and laptops print across VLAN boundaries without opening up full access.

Device: Firewall / Security Gateway
Upstream: Internet gateway in bridge mode — firewall handles all routing, NAT, DHCP, and firewall duties
Compliance: PCI DSS — card reader isolated on a dedicated VLAN with no lateral access
Policy: Default deny between VLANs. Each VLAN is explicitly granted only the access it needs.

VLAN Assignments

VLAN ID	Name	Subnet	DHCP Range	Purpose
`10`	Operations	`192.168.10.0/24`	`.100 – .200`	Desktops only — daily business use
`15`	Voice	`192.168.15.0/24`	`.100 – .120`	VoIP phones — isolated, internet for SIP/RTP only
`18`	Print	`192.168.18.0/24`	`.100 – .105`	Printer — reachable from Ops and Staff Wi-Fi via IPP/RAW
`20`	PCI	`192.168.20.0/24`	`.100 – .110`	Card reader only — fully isolated for PCI compliance
`30`	AP Management	`192.168.30.0/24`	`.100 – .110`	Access point management interface
`40`	Staff Wi-Fi	`192.168.40.0/24`	`.100 – .200`	Staff laptops, security cameras — wireless
`50`	Untrusted Wi-Fi	`192.168.50.0/24`	`.100 – .250`	Employee cell phones — internet only, fully isolated

DHCP ranges are intentionally narrow on Voice, Print, PCI, and AP Management VLANs to limit the number of devices that can obtain an address.

Design note: VLAN 15 (Voice) and VLAN 18 (Print) are broken out from the original Operations VLAN. Phones and printers no longer share a broadcast domain with workstations.

Inter-VLAN Traffic Matrix

Read as: "Can [Row] talk to [Column]?"

	Ops	Voice	Print	PCI	AP Mgmt	Staff Wi-Fi	Untrusted	Internet
Operations	—	DENY	PRINT	DENY	ALLOW	ALLOW	DENY	ALLOW
Voice	DENY	—	DENY	DENY	DENY	DENY	DENY	SIP/RTP
Print	DENY	DENY	—	DENY	DENY	DENY	DENY	DENY
PCI	DENY	DENY	DENY	—	DENY	DENY	DENY	PAY *
AP Mgmt	DENY	DENY	DENY	DENY	—	DENY	DENY	CLOUD
Staff Wi-Fi	DENY	DENY	PRINT	DENY	DENY	—	DENY	ALLOW
Untrusted	DENY	DENY	DENY	DENY	DENY	DENY	—	WEB

* PCI internet access restricted to payment processor endpoints only. PRINT = TCP 631 (IPP) + TCP 9100 (RAW) only.

Firewall Rules — Inter-VLAN

Rules are evaluated top-down. First match wins.

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Any local VLAN`	Any	Deny	PCI isolation — no lateral movement
2	`Any local VLAN`	`VLAN 20 (PCI)`	Any	Deny	Nothing reaches the card reader
3	`VLAN 15 (Voice)`	`Any local VLAN`	Any	Deny	Phones cannot reach internal resources
4	`Any local VLAN`	`VLAN 15 (Voice)`	Any	Deny	Nothing reaches the phones
5	`VLAN 50 (Untrusted)`	`Any local VLAN`	Any	Deny	Cell phones cannot reach internal resources
6	`Any local VLAN`	`VLAN 50 (Untrusted)`	Any	Deny	Nothing reaches untrusted devices
7	`VLAN 10 (Ops)`	`VLAN 18 (Print)`	TCP 631, 9100	Allow	Desktops can print (IPP + RAW)
8	`VLAN 40 (Staff Wi-Fi)`	`VLAN 18 (Print)`	TCP 631, 9100	Allow	Laptops can print (IPP + RAW)
9	`VLAN 18 (Print)`	`Any local VLAN`	Any	Deny	Printer cannot initiate outbound connections
10	`VLAN 10 (Ops)`	`VLAN 30 (AP Mgmt)`	TCP 443	Allow	Admin desktop can manage the access point
11	`VLAN 10 (Ops)`	`VLAN 40 (Staff Wi-Fi)`	Any	Allow	Ops can reach staff devices for support
12	`Any VLAN`	`Any VLAN`	Any	Deny	Default deny — catch-all

PCI Note: Rules 1 and 2 must remain at the top. The card reader VLAN has no path to any internal resource.

Design note: Rules 3–4 isolate the Voice VLAN. Rules 7–9 create a controlled print path: desktops and laptops can send print jobs to the printer, but the printer itself cannot initiate connections to anything. Without this separation, the printer would sit on the same VLAN as desktops — a compromised printer would have direct access to workstations.

Firewall Rules — Outbound (WAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Payment processor IPs`	TCP 443	Allow	Card reader → payment gateway (HTTPS only)
2	`VLAN 20 (PCI)`	`Any`	Any	Deny	Card reader cannot reach anything else on the internet
3	`VLAN 15 (Voice)`	`VoIP provider IPs`	UDP 5060; UDP 10000–20000	Allow	VoIP signaling (SIP) + media (RTP)
4	`VLAN 15 (Voice)`	`Any`	Any	Deny	Phones cannot reach anything beyond the VoIP provider
5	`VLAN 18 (Print)`	`Any`	Any	Deny	Printer has no internet access
6	`VLAN 10 (Ops)`	`Any`	TCP 80, 443	Allow	Web browsing
7	`VLAN 10 (Ops)`	`Any`	TCP 587, 993	Allow	Email (SMTP submission + IMAP over TLS)
8	`VLAN 10 (Ops)`	`VPN provider endpoints`	UDP 1194; TCP 443	Allow	VPN tunnel for privacy and security
9	`VLAN 40 (Staff Wi-Fi)`	`Any`	TCP 80, 443	Allow	Web access for staff laptops
10	`VLAN 40 (Staff Wi-Fi)`	`Camera cloud IPs`	TCP 443; UDP 8554	Allow	Security cameras → cloud storage/streaming
11	`VLAN 50 (Untrusted)`	`Any`	TCP 80, 443	Allow	Internet-only for cell phones
12	`VLAN 30 (AP Mgmt)`	`Vendor cloud`	TCP 443	Allow	AP firmware updates and cloud management
13	`Any`	`Any`	UDP 53	Allow	DNS resolution (all VLANs)
14	`Any`	`Any`	Any	Deny	Default deny — catch-all

Note: "Payment processor IPs," "VoIP provider IPs," and "Camera cloud IPs" should be replaced with the actual IP ranges provided by those vendors.

Design note: VoIP traffic (SIP/RTP) moved from Ops outbound rules to Voice VLAN outbound (rules 3–4), locked to the VoIP provider only. The printer (rule 5) has no internet access at all — it only receives inbound print jobs from authorized VLANs.

Inbound Rules (WAN → LAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VPN provider endpoints`	`VLAN 10 (Ops)`	UDP 1194; TCP 443	Allow	Inbound VPN tunnel
2	`Any`	`Any`	Any	Deny	No unsolicited inbound traffic

No ports are exposed directly to the internet.

Additional Security Measures

Measure	Setting	Rationale
Content filtering	Enabled on VLAN 50 (Untrusted)	Block malware, phishing, and adult content categories on the cell phone network
DNS	Forced to firewall for all VLANs	Prevents devices from using external DNS to bypass filtering
UPnP	Disabled	Prevents devices from automatically opening ports
Firewall management	Cloud management — no local admin interface exposed	Firewall admin panel is never exposed to the internet
Firmware updates	Automatic via vendor cloud	Firewall receives patches without manual intervention
Guest Wi-Fi	Not configured	Deliberate decision — reduces attack surface on a PCI-compliant network

← View Initial Draft · View PCI-Compliant Network Roadmap →

Guide To: PCI Compliance

Part 1: The Importance of PCI Compliance — Breach costs, compliance tiers, the business case

Part 2: PCI-Compliant Network Roadmap — Equipment, VLANs, firewall rules

▸ Part 3: Firewall & VLAN Rules (you are here)

Part 4: PCI Hardening Basics — Endpoint protection, passwords, POS security

Part 5: Employee Security Training — Phishing, social engineering, incident reporting

Companion: Ransomware Backup Strategy — Three-tier backup, encrypted SSDs, calendar reminders

This guide is provided for educational and portfolio purposes. It reflects general best practices and does not constitute professional security consulting for your specific environment. Consult a qualified professional for your business’s security needs.