Routing between USG Flex 500 ethernet ports

popekoz
popekoz Posts: 4
First Comment
edited October 2022 in Security
Hi,
I'm deploying USG Flex 500 and I can't figure out how to allow routing between two LANs connected to two ethernet ports.

The design is as follows:
P2 - WAN port to Internet
P3 - DMZ port to DMZ servers
P4 - Company1 LAN 192.168.245.0/24
P5 - Company2 LAN 192.168.246.0/24
and so on. 
Each company is in different LAN.
USG Flex 500 is the gateway for every LAN.
I created custom zone All_Internal_LANs and added all ethernet ports (LANs) in it to simplify Security policy rules.

I deleted all pre-defined Security Policy rules without Default Deny and started creating them from scratch to allow only the ports I need.
The result is all LANs have internet and All LANs have the access needed to DMZ servers.
The problem is that a server in LAN 245 cannot ping server in LAN 246. Both servers' firewalls are disabled.
I added a temporary rule to allow any from All_internal_LANs to All_internal_LANs and any from All_internal_LANs to ZyWall, but it doesn't work. I enabled log for this rule and when I ping from one server to other I see ACCESS FORWARD in the log.

When I use tracert the first hop is the Zyxell firewall and then timeout.

I'm missing something and I can't find out what is it.
Any help would be appreciated!


Best Answers

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    popekoz,
    Please refer to my test configuration and result, thanks.

    I have two internal interfaces in the same Zone which is named internal_interface_zone



    And here is my security policy configuration. test environment.
    I didn't delete all the default rules, I just add another three security policies.
    1. internal_interface_zone to any: Allow
    2. internal_interface_zone to ZyWall: Allow
    3. internal_interface_zone to internal_interface_zone: Allow

    Test environment:
    ping from PC1 to PC2
    PC1: 192.168.19.2 under interface1
    PC2: 192.168.20.10 under interface2



    As you can see, I'm able to ping from interface1 to interface2, I think it's this test result is close to your request, right?
    Actually, #3 rule is not needed because ping from interface1 to interface2 will match #1 rule. The test still succeeds if I inactivate #3 rule.


    James
  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    popekoz,
    Disable #1, enable #2,#3, same result.


    James
  • popekoz
    popekoz Posts: 4
    First Comment
    Answer ✓
    It turns out that subnet based Vlan configured on the infrastructure switch is the problem. When I changed the VLANs to static, all works as expected. 

All Replies

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hello @popekoz,
    Welcome to Zyxel community!

    By default, the LANs can be routed between each other as you can see there is no deny rule for LAN1 to other LANs.
    Since you re-create the security policies except the default deny rule, I would like to check on your settings on the security policy first. Please provide remote access for us via private message, I will check on your security policies, thank you.

    James
  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    popekoz,
    Please refer to my test configuration and result, thanks.

    I have two internal interfaces in the same Zone which is named internal_interface_zone



    And here is my security policy configuration. test environment.
    I didn't delete all the default rules, I just add another three security policies.
    1. internal_interface_zone to any: Allow
    2. internal_interface_zone to ZyWall: Allow
    3. internal_interface_zone to internal_interface_zone: Allow

    Test environment:
    ping from PC1 to PC2
    PC1: 192.168.19.2 under interface1
    PC2: 192.168.20.10 under interface2



    As you can see, I'm able to ping from interface1 to interface2, I think it's this test result is close to your request, right?
    Actually, #3 rule is not needed because ping from interface1 to interface2 will match #1 rule. The test still succeeds if I inactivate #3 rule.


    James
  • Rule number 1 was just temoporary for the testing. It shouldn't be active in production. Rule number 3 is the acceptable rule because it allows only internal communications between LANs. Can you disable rule #1 and confirm it's working with #2 and #3 only. Thanks!
  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    popekoz,
    Disable #1, enable #2,#3, same result.


    James
  • I made test environment and I can confirm that only rule #3 is enough even with deleted default security policy rules for ping between the two LANs to pass. So if someone wants to allow outgoing connections to the internet only for specific ports, but inter-LAN communications should work, Allow rule from "Internal" to "Internal" should be created. 
  • popekoz
    popekoz Posts: 4
    First Comment
    Answer ✓
    It turns out that subnet based Vlan configured on the infrastructure switch is the problem. When I changed the VLANs to static, all works as expected. 

Security Highlight