Flex 700 Guest Vlan Isolation

jayd691
jayd691 Posts: 20  Freshman Member
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula
in Security

I have 8 vlans on my GS1920-24HPv2 switch (1,10,20,30,40,50,60,70), with 70 as my guest vlan that are connected to the USG Flex 700 as subnets.

I want to isolate vlan 70 (guest) from all other vlans and only allow it to access the WAN.

What is the easiest way to set up security policies to block all traffic to the other vlans and only allow vlan 70 to access the internet through the wan?

Thank you.

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    Here is my suggestion

    1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.

    2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited August 2023

    I assume that USG Flex 700 is aware of vLAN 70.

    Which is the option you pick among these?

    image.png

    In which zone the vLAN has been placed?

    image.png

    After knowing these informations, I think you need to configure three security policies in this order
    1st: allow destionations and services from vLAN 70
    2nd: allow return from these destinations and services to vLAN 70
    3rd: block all other destinations from vlan 70 that you don't want to be accessed
    4th optional: block other networks and zones for access to vLAN 70; this is not mandatory.

    Higher the priority of these rules, less chances that some of the other rules might reduce the changes of connection uncorrecly allowed (or not).

    And test. If you're willing to start immediately with a working setup, consider to create a test vLAN for create policies and make tests; once everything is correct, translate policies it to vLAN 70.

  • jayd691
    jayd691 Posts: 20  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula

    I have all vlans but 70 in LAN zone, and vlan70 is in Guest Zone (created).

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    So don't forget to have two sets of rules:


    one for LAN zone (and i think you want it denied, so only the 3rd kind of rule)
    one for the Zywall.

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    Here is my suggestion

    1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.

    2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)