Flex 700 Guest Vlan Isolation
Freshman Member
I have 8 vlans on my GS1920-24HPv2 switch (1,10,20,30,40,50,60,70), with 70 as my guest vlan that are connected to the USG Flex 700 as subnets.
I want to isolate vlan 70 (guest) from all other vlans and only allow it to access the WAN.
What is the easiest way to set up security policies to block all traffic to the other vlans and only allow vlan 70 to access the internet through the wan?
Thank you.
Accepted Solution
-
Here is my suggestion
1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.
2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70
0
Zyxel Employee
All Replies
-
I assume that USG Flex 700 is aware of vLAN 70.
Which is the option you pick among these?
In which zone the vLAN has been placed?
After knowing these informations, I think you need to configure three security policies in this order
1st: allow destionations and services from vLAN 70
2nd: allow return from these destinations and services to vLAN 70
3rd: block all other destinations from vlan 70 that you don't want to be accessed
4th optional: block other networks and zones for access to vLAN 70; this is not mandatory.Higher the priority of these rules, less chances that some of the other rules might reduce the changes of connection uncorrecly allowed (or not).
And test. If you're willing to start immediately with a working setup, consider to create a test vLAN for create policies and make tests; once everything is correct, translate policies it to vLAN 70.
0 -
I have all vlans but 70 in LAN zone, and vlan70 is in Guest Zone (created).
0 -
So don't forget to have two sets of rules:
one for LAN zone (and i think you want it denied, so only the 3rd kind of rule)
one for the Zywall.0 -
Here is my suggestion
1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.
2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70
0
Guru Member
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
