Small Business Firewall & VLAN Rules

Note: This is an initial draft of the firewall configuration. The production rules have since been redesigned, so this version is no longer in use and is safe to publish. View the expanded ruleset →

Device: Firewall / Security Gateway
Upstream: Internet gateway in bridge mode — firewall handles all routing, NAT, DHCP, and firewall duties
Compliance: PCI DSS — card reader isolated on a dedicated VLAN with no lateral access
Policy: Default deny between VLANs. Each VLAN is explicitly granted only the access it needs.

VLAN Assignments

VLAN ID	Name	Subnet	DHCP Range	Purpose
`10`	Operations	`192.168.10.0/24`	`.100 – .200`	Phones, desktops, printer — daily business use
`20`	PCI	`192.168.20.0/24`	`.100 – .110`	Card reader only — fully isolated for PCI compliance
`30`	AP Management	`192.168.30.0/24`	`.100 – .110`	Access point management interface
`40`	Staff Wi-Fi	`192.168.40.0/24`	`.100 – .200`	Staff laptops, security cameras — wireless
`50`	Untrusted Wi-Fi	`192.168.50.0/24`	`.100 – .250`	Employee cell phones — internet only, fully isolated

VLAN ID

Name

Subnet

DHCP Range

Purpose

10

Operations

192.168.10.0/24

.100 – .200

Phones, desktops, printer — daily business use

20

PCI

192.168.20.0/24

.100 – .110

Card reader only — fully isolated for PCI compliance

30

AP Management

192.168.30.0/24

.100 – .110

Access point management interface

40

Staff Wi-Fi

192.168.40.0/24

.100 – .200

Staff laptops, security cameras — wireless

50

Untrusted Wi-Fi

192.168.50.0/24

.100 – .250

Employee cell phones — internet only, fully isolated

DHCP ranges are intentionally narrow on PCI and AP Management VLANs to limit the number of devices that can obtain an address.

Inter-VLAN Traffic Matrix

	Operations	PCI	AP Mgmt	Staff Wi-Fi	Untrusted	Internet
Operations	—	DENY	ALLOW	ALLOW	DENY	ALLOW
PCI	DENY	—	DENY	DENY	DENY	ALLOW *
AP Mgmt	DENY	DENY	—	DENY	DENY	ALLOW
Staff Wi-Fi	ALLOW **	DENY	DENY	—	DENY	ALLOW
Untrusted	DENY	DENY	DENY	DENY	—	ALLOW

Operations

PCI

AP Mgmt

Staff Wi-Fi

Untrusted

Internet

Operations

—

DENY

ALLOW

DENY

ALLOW

PCI

DENY

—

DENY

ALLOW *

AP Mgmt

DENY

—

DENY

ALLOW

Staff Wi-Fi

ALLOW **

DENY

—

DENY

ALLOW

Untrusted

DENY

—

ALLOW

* PCI internet access is restricted to payment processor endpoints only (see outbound rules below).

Firewall Rules — Inter-VLAN

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Any local VLAN`	Any	Deny	PCI isolation — no lateral movement
2	`Any local VLAN`	`VLAN 20 (PCI)`	Any	Deny	Nothing reaches the card reader
3	`VLAN 50 (Untrusted)`	`Any local VLAN`	Any	Deny	Cell phones cannot reach internal resources
4	`Any local VLAN`	`VLAN 50 (Untrusted)`	Any	Deny	Nothing reaches untrusted devices
5	`VLAN 40 (Staff Wi-Fi)`	`VLAN 10 (Ops)`	TCP 9100, 631	Allow	Laptops can print (RAW + IPP)
6	`VLAN 10 (Ops)`	`VLAN 30 (AP Mgmt)`	TCP 443	Allow	Admin desktop can manage the access point
7	`VLAN 10 (Ops)`	`VLAN 40 (Staff Wi-Fi)`	Any	Allow	Ops can reach staff devices for support
8	`Any VLAN`	`Any VLAN`	Any	Deny	Default deny — catch-all

Source

Destination

Protocol / Port

Action

Purpose

VLAN 20 (PCI)

Any local VLAN

Any

Deny

PCI isolation — no lateral movement

Any local VLAN

VLAN 20 (PCI)

Any

Deny

Nothing reaches the card reader

VLAN 50 (Untrusted)

Any local VLAN

Any

Deny

Cell phones cannot reach internal resources

Any local VLAN

VLAN 50 (Untrusted)

Any

Deny

Nothing reaches untrusted devices

VLAN 40 (Staff Wi-Fi)

VLAN 10 (Ops)

TCP 9100, 631

Allow

Laptops can print (RAW + IPP)

VLAN 10 (Ops)

VLAN 30 (AP Mgmt)

TCP 443

Allow

Admin desktop can manage the access point

VLAN 10 (Ops)

VLAN 40 (Staff Wi-Fi)

Any

Allow

Ops can reach staff devices for support

Any VLAN

Any

Deny

Default deny — catch-all

PCI Note: Rules 1 and 2 must remain at the top. The card reader VLAN has no path to any internal resource. If the payment processor requires specific IPs, those are handled in the outbound rules — never through inter-VLAN access.

Firewall Rules — Outbound (WAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VLAN 20 (PCI)`	`Payment processor IPs`	TCP 443	Allow	Card reader → payment gateway (HTTPS only)
2	`VLAN 20 (PCI)`	`Any`	Any	Deny	Card reader cannot reach anything else on the internet
3	`VLAN 10 (Ops)`	`Any`	TCP 80, 443	Allow	Web browsing
4	`VLAN 10 (Ops)`	`Any`	TCP 587, 993	Allow	Email (SMTP submission + IMAP over TLS)
5	`VLAN 10 (Ops)`	`Any`	UDP 5060; UDP 10000–20000	Allow	VoIP signaling (SIP) + media (RTP)
6	`VLAN 10 (Ops)`	`VPN provider endpoints`	UDP 1194; TCP 443	Allow	VPN tunnel for privacy and security
7	`VLAN 40 (Staff Wi-Fi)`	`Any`	TCP 80, 443	Allow	Web access for staff laptops
8	`VLAN 40 (Staff Wi-Fi)`	`Camera cloud IPs`	TCP 443; UDP 8554	Allow	Security cameras → cloud storage/streaming
9	`VLAN 50 (Untrusted)`	`Any`	TCP 80, 443	Allow	Internet-only for cell phones
10	`VLAN 30 (AP Mgmt)`	`Vendor cloud`	TCP 443	Allow	AP firmware updates and cloud management
11	`Any`	`Any`	UDP 53	Allow	DNS resolution (all VLANs)
12	`Any`	`Any`	Any	Deny	Default deny — catch-all

Source

Destination

Protocol / Port

Action

Purpose

VLAN 20 (PCI)

Payment processor IPs

TCP 443

Allow

Card reader → payment gateway (HTTPS only)

VLAN 20 (PCI)

Any

Any

Deny

Card reader cannot reach anything else on the internet

VLAN 10 (Ops)

Any

TCP 80, 443

Allow

Web browsing

VLAN 10 (Ops)

Any

TCP 587, 993

Allow

Email (SMTP submission + IMAP over TLS)

VLAN 10 (Ops)

Any

UDP 5060; UDP 10000–20000

Allow

VoIP signaling (SIP) + media (RTP)

VLAN 10 (Ops)

VPN provider endpoints

UDP 1194; TCP 443

Allow

VPN tunnel for privacy and security

VLAN 40 (Staff Wi-Fi)

Any

TCP 80, 443

Allow

Web access for staff laptops

VLAN 40 (Staff Wi-Fi)

Camera cloud IPs

TCP 443; UDP 8554

Allow

Security cameras → cloud storage/streaming

VLAN 50 (Untrusted)

Any

TCP 80, 443

Allow

Internet-only for cell phones

VLAN 30 (AP Mgmt)

Vendor cloud

TCP 443

Allow

AP firmware updates and cloud management

Any

UDP 53

Allow

DNS resolution (all VLANs)

Any

Any

Deny

Default deny — catch-all

Note: "Payment processor IPs" and "Camera cloud IPs" should be replaced with the actual IP ranges provided by those vendors. Keeping these as narrow as possible reduces exposure if any device is compromised.

Inbound Rules (WAN → LAN)

#	Source	Destination	Protocol / Port	Action	Purpose
1	`VPN provider endpoints`	`VLAN 10 (Ops)`	UDP 1194; TCP 443	Allow	Inbound VPN tunnel
2	`Any`	`Any`	Any	Deny	No unsolicited inbound traffic

Source

Destination

Protocol / Port

Action

Purpose

VPN provider endpoints

VLAN 10 (Ops)

UDP 1194; TCP 443

Allow

Inbound VPN tunnel

Any

Any

Deny

No unsolicited inbound traffic

No ports are exposed directly to the internet.

Additional Security Measures

Measure	Setting	Rationale
Content filtering	Enabled on VLAN 50 (Untrusted)	Block malware, phishing, and adult content categories on the cell phone network
DNS	Forced to firewall for all VLANs	Prevents devices from using external DNS to bypass filtering
UPnP	Disabled	Prevents devices from automatically opening ports
Firewall management	Cloud management — no local admin interface exposed	Firewall admin panel is never exposed to the internet
Firmware updates	Automatic via vendor cloud	Firewall receives patches without manual intervention
Guest Wi-Fi	Not configured	Deliberate decision — reduces attack surface on a PCI-compliant network

Measure

Setting

Rationale

Content filtering

Enabled on VLAN 50 (Untrusted)

Block malware, phishing, and adult content categories on the cell phone network

DNS

Forced to firewall for all VLANs

Prevents devices from using external DNS to bypass filtering

UPnP

Disabled

Prevents devices from automatically opening ports

Firewall management

Cloud management — no local admin interface exposed

Firewall admin panel is never exposed to the internet

Firmware updates

Automatic via vendor cloud

Firewall receives patches without manual intervention

Guest Wi-Fi

Not configured

Deliberate decision — reduces attack surface on a PCI-compliant network