USG 20 multiple VLANs, same subnet

Options
zyxelUser2021
zyxelUser2021 Posts: 9
First Anniversary First Comment
in Security
I'd prefer my internal network being in same subnet (for broadcast messages), but internal traffic enforced by VLANs instead of hosts.

The following illustration is a simplified setup of the scenario:
VLAN1 allows NAS 1 and NAS 2 to communicate with each other directly.
VLAN2 does the same for PC and NAS 1.
VLAN3 would connect NAS 1 and PC to the USG 20 for DHCP and DNS services, and routed access to Internet.
VLAN4 would only provide DHCP and DNS, but block all other traffic, and my question concerns this.

When it comes to USG 20 security policies, I haven't found a way to handle multiple VLANs sharing the same subnet. It would be possible to configure NAS 2 to VLAN3 too, but then enforcing the security policies would have to be done based on hosts or networks, and it would feel safer to let the USG 20 classify the traffic based on incoming VLAN (or physical port). Is this possible with USG 20 somehow, would there be any security concerns regarding this overall setup?
Notice in the drawing: All devices are within the same subnet 10.0.0.0/255.255.0.0.



All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Why multiple vLAN for the same subnet? It's like connecting multiple ports to switches without trunking them. Leads to loopbacks.
  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options

    Do the NAS and PC have more then one NIC like three for NAS 1?

    Do you need broadcast across all devices?

    There is a way I do something with a L2 switch using redirect on ARP and VLAN general with Proxy ARP on USG where I can firewall between devices on the USG but performance will not be good on a USG 20 plus due to the lack of firewall source port option you have to allow all UDP for MS file share.

    Port based VLAN on a switch is one way you could do your setup but broadcast traffic will be isolated.


  • WJS
    WJS Posts: 133  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    "VLAN4 would only provide DHCP and DNS, but block all other traffic, and my question concerns this."
    For example, block vlan3 traffic to vlan4, vlan3 will consider vlan4 is the same subnet because of same mask. It is layer2 level. 
    So, the traffic won't go through firewall at all.

  • zyxelUser2021
    zyxelUser2021 Posts: 9
    First Anniversary First Comment
    Options
    The basic idea is to have control on what devices can see each other directly on layer 2, without adding load to the firewall. And using the same subnet is to avoid routing that takes place on layer 3. In theory NAS1-NAS2 or PC-NAS1 traffic could be non-IP protocol on layer 2 only.

    Currently I have NAS's on the same subnet and PC on another. NAS-NAS communication is fast (because they can communicate with each other directly) but PC-NAS communication is rather slow (due to USG 20 routing and firewall). Because second NAS is for data vaulting, it and its traffic must remain isolated from any communication to PC or internet (but must get the IP from gateway and allow certain maintenance connections, whose speed is not an issue).

    All devices have only one ethernet port.

    What would be the right way to implement this?

  • zyxelUser2021
    zyxelUser2021 Posts: 9
    First Anniversary First Comment
    Options
    And of course there's 802.1Q enabled switch (such as Zyxel GS1200-8), not just USG 20 in the LAN. The VLANs in the drawing are just logical links.
  • zyxelUser2021
    zyxelUser2021 Posts: 9
    First Anniversary First Comment
    Options
    Here's a more detailed drawing of the setup with also the L2 switch shown.

  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I believe its just not possible with what you have.

    Maybe a switch with ACL rules could work.


  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    If you want your devices take specific path, you must involve routing and subnets must be different.
    You can avoid the involvment of the firewall for vLAN2 and vLAN1 and PC must have a network card for vLAN2 and a network card for vLAN3.
    With this kind of arrangement, only switch will be involved with traffic on vLAN2 and vLAN1.
    In my humble opinion, considering number of network devices and hardware involved, this design is 101 of "overkill". Due to the limited switching capacity of GS1200-8, having only 1 LAN will be far more efficient; othewise, I'd use two switches (1 for vLANs 3 and 4, 1 for vLANs 2 and 1), but again switching capacity is needed. So far better have GS1920-24v2 as main switch (56gps of switching capacity, compared to 16 of GS1200-8) or GS1900-16 (32gbps) for the 4 vLAN setup, without any slowness due to switch overhead in transferring data. But again... for two NASes and 1 PC still seems overkill to me.
  • PeterUK
    PeterUK Posts: 2,749  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Or with a managed switch you can have a untagged LAN with ACL for MAC's source and destination where devices are allowed to go to which device.


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)