Routing between LAN ports

GrahamWebb
GrahamWebb Posts: 21  Freshman Member
First Comment Friend Collector Second Anniversary
Hi I have a WAN port and 3 ports setup for 3 separate lans. 

WAN
LAN1 Main
LAN2 Office Wifi
LAN3 Visitors Wifi

LAN1 is for normal office use desktops and laptops that plug in to the main switches.

LAN2 connects to a separate switch to provide wifi to office users, who can connect back using SSL vpn if they need more than web access.

LAN3 connects to a separate switch to provide wifi for visitors.

By default the LANs can route between each other so for instance someone on the visitors LAN3 can ping a server on LAN1 etc.  I have had to set up a few deny rules like the below screenshot.  Is there a better way to do this to just turn off the routing between ports?




All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    By default LAN's should not be able to route between each other with the default deny rule and no other rules.

    If you remove rules LAN to WAN can you still ping the internet?

    Is your firmware up to date?


  • GrahamWebb
    GrahamWebb Posts: 21  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hi Peter its a brand new USG 500 FLEX and I am on the latest firmware.  A few things were not working quite as they should, I could not get SSL VPN working on port 10433 either even though that service was included in the default WAN to Zywall rule I had to keep it on 433 and even had to put another allow rule for that to work near the top.  Its like the default WAN to Zywall rule containing the service groups was not allowing everything.  Strange though as it is allowing site to site IPSEC vpn based on that allow rule.  I did a port scan from Internet and all I have open is port 433 and have locked that down to SSLVPN only.

    This router is replacing a USG 310 and the USG 310 did the same thing allowing routing between the LANs unless I put deny rules in.
  • GrahamWebb
    GrahamWebb Posts: 21  Freshman Member
    First Comment Friend Collector Second Anniversary
    "If you remove rules LAN to WAN can you still ping the internet?"

    I cant really test that now as no longer there but will try that.
  • GrahamWebb
    GrahamWebb Posts: 21  Freshman Member
    First Comment Friend Collector Second Anniversary
    Looking at it again I think its these two default rules that are causing it, funnily enough LAN3 wasnt able to route to the others it was only between LAN1 and LAN2 I think.  I thought that was because I had to add LAN3 myself as another zone, I guess those two rules should be allow to WAN not any.


  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    yes default rules can be disable they are their to just get things working quickly but may do things you don't want it do.

    Are saying about 443 for SSL VPN? you should be able to change the port and get that working it will be safer to move it to another port.

    If your doing remote login think about doing from WAN to ZyWALL with source FQDN  with your remote end run like no-ip and you USG will only allow the IP from that 
    source at your remote location.  
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited August 2021
    Hi @GrahamWebbm

    To block LAN2 to LAN1 and block LAN1 to LAN2, create the following rules.
    You can also add new rules to allow LAN1 and LAN2 to access Internet instead of using the default rule From LAN1 To any and From LAN2 to any.
      

    If SSL VPN server port is 10443, you also need to allow port 10443 in the security policy rule "WAN_to_Device".


     


  • GrahamWebb
    GrahamWebb Posts: 21  Freshman Member
    First Comment Friend Collector Second Anniversary
    Hi Emily thanks I did make those changes to the SSLVPN port as per the instructions, I added TCP port 10433 Wiz_SSL_VPN object to the Default_Allow_Wan_To_Zywall and changed the port number to 10433 on the SSL VPN Global Setting page.  I was testing from my laptop connected to my iphone as a hotspot so maybe that had something to do with me not being able to connect the SecuExtender on that port.  I may try to change the port again at some point but I was thinking, one of the pros of using the SSL VPN in the first place is port 443 is rarely blocked for remote workers on hotel wifis etc so.

Security Highlight