Routing between USG Flex 500 ethernet ports
Options
Hi,
I'm deploying USG Flex 500 and I can't figure out how to allow routing between two LANs connected to two ethernet ports.
The design is as follows:
P2 - WAN port to Internet
P3 - DMZ port to DMZ servers
P4 - Company1 LAN 192.168.245.0/24
P5 - Company2 LAN 192.168.246.0/24
and so on.
Each company is in different LAN.
USG Flex 500 is the gateway for every LAN.
I created custom zone All_Internal_LANs and added all ethernet ports (LANs) in it to simplify Security policy rules.
I deleted all pre-defined Security Policy rules without Default Deny and started creating them from scratch to allow only the ports I need.
The result is all LANs have internet and All LANs have the access needed to DMZ servers.
The problem is that a server in LAN 245 cannot ping server in LAN 246. Both servers' firewalls are disabled.
I added a temporary rule to allow any from All_internal_LANs to All_internal_LANs and any from All_internal_LANs to ZyWall, but it doesn't work. I enabled log for this rule and when I ping from one server to other I see ACCESS FORWARD in the log.
When I use tracert the first hop is the Zyxell firewall and then timeout.
I'm missing something and I can't find out what is it.
Any help would be appreciated!
I'm deploying USG Flex 500 and I can't figure out how to allow routing between two LANs connected to two ethernet ports.
The design is as follows:
P2 - WAN port to Internet
P3 - DMZ port to DMZ servers
P4 - Company1 LAN 192.168.245.0/24
P5 - Company2 LAN 192.168.246.0/24
and so on.
Each company is in different LAN.
USG Flex 500 is the gateway for every LAN.
I created custom zone All_Internal_LANs and added all ethernet ports (LANs) in it to simplify Security policy rules.
I deleted all pre-defined Security Policy rules without Default Deny and started creating them from scratch to allow only the ports I need.
The result is all LANs have internet and All LANs have the access needed to DMZ servers.
The problem is that a server in LAN 245 cannot ping server in LAN 246. Both servers' firewalls are disabled.
I added a temporary rule to allow any from All_internal_LANs to All_internal_LANs and any from All_internal_LANs to ZyWall, but it doesn't work. I enabled log for this rule and when I ping from one server to other I see ACCESS FORWARD in the log.
When I use tracert the first hop is the Zyxell firewall and then timeout.
I'm missing something and I can't find out what is it.
Any help would be appreciated!
0
Best Answers
-
popekoz,
Please refer to my test configuration and result, thanks.
I have two internal interfaces in the same Zone which is named internal_interface_zone
And here is my security policy configuration. test environment.
I didn't delete all the default rules, I just add another three security policies.
1. internal_interface_zone to any: Allow
2. internal_interface_zone to ZyWall: Allow
3. internal_interface_zone to internal_interface_zone: Allow
Test environment:
ping from PC1 to PC2
PC1: 192.168.19.2 under interface1
PC2: 192.168.20.10 under interface2
As you can see, I'm able to ping from interface1 to interface2, I think it's this test result is close to your request, right?
Actually, #3 rule is not needed because ping from interface1 to interface2 will match #1 rule. The test still succeeds if I inactivate #3 rule.
James0 -
0
-
It turns out that subnet based Vlan configured on the infrastructure switch is the problem. When I changed the VLANs to static, all works as expected.0
Zyxel Employee
All Replies
-
Hello @popekoz,Welcome to Zyxel community!By default, the LANs can be routed between each other as you can see there is no deny rule for LAN1 to other LANs.Since you re-create the security policies except the default deny rule, I would like to check on your settings on the security policy first. Please provide remote access for us via private message, I will check on your security policies, thank you.James0
-
popekoz,
Please refer to my test configuration and result, thanks.
I have two internal interfaces in the same Zone which is named internal_interface_zone
And here is my security policy configuration. test environment.
I didn't delete all the default rules, I just add another three security policies.
1. internal_interface_zone to any: Allow
2. internal_interface_zone to ZyWall: Allow
3. internal_interface_zone to internal_interface_zone: Allow
Test environment:
ping from PC1 to PC2
PC1: 192.168.19.2 under interface1
PC2: 192.168.20.10 under interface2
As you can see, I'm able to ping from interface1 to interface2, I think it's this test result is close to your request, right?
Actually, #3 rule is not needed because ping from interface1 to interface2 will match #1 rule. The test still succeeds if I inactivate #3 rule.
James0 -
Rule number 1 was just temoporary for the testing. It shouldn't be active in production. Rule number 3 is the acceptable rule because it allows only internal communications between LANs. Can you disable rule #1 and confirm it's working with #2 and #3 only. Thanks!0
-
0
-
I made test environment and I can confirm that only rule #3 is enough even with deleted default security policy rules for ping between the two LANs to pass. So if someone wants to allow outgoing connections to the internet only for specific ports, but inter-LAN communications should work, Allow rule from "Internal" to "Internal" should be created.0
-
It turns out that subnet based Vlan configured on the infrastructure switch is the problem. When I changed the VLANs to static, all works as expected.0
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
