Flex 700 Guest Vlan Isolation

Options
jayd691
jayd691 Posts: 18  Freshman Member
First Anniversary Nebula Gratitude First Comment Zyxel Certified Network Administrator - Security

I have 8 vlans on my GS1920-24HPv2 switch (1,10,20,30,40,50,60,70), with 70 as my guest vlan that are connected to the USG Flex 700 as subnets.

I want to isolate vlan 70 (guest) from all other vlans and only allow it to access the WAN.

What is the easiest way to set up security policies to block all traffic to the other vlans and only allow vlan 70 to access the internet through the wan?

Thank you.

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 616  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Here is my suggestion

    1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.

    2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70

All Replies

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2023
    Options

    I assume that USG Flex 700 is aware of vLAN 70.

    Which is the option you pick among these?

    In which zone the vLAN has been placed?

    After knowing these informations, I think you need to configure three security policies in this order
    1st: allow destionations and services from vLAN 70
    2nd: allow return from these destinations and services to vLAN 70
    3rd: block all other destinations from vlan 70 that you don't want to be accessed
    4th optional: block other networks and zones for access to vLAN 70; this is not mandatory.

    Higher the priority of these rules, less chances that some of the other rules might reduce the changes of connection uncorrecly allowed (or not).

    And test. If you're willing to start immediately with a working setup, consider to create a test vLAN for create policies and make tests; once everything is correct, translate policies it to vLAN 70.

  • jayd691
    jayd691 Posts: 18  Freshman Member
    First Anniversary Nebula Gratitude First Comment Zyxel Certified Network Administrator - Security
    Options

    I have all vlans but 70 in LAN zone, and vlan70 is in Guest Zone (created).

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So don't forget to have two sets of rules:


    one for LAN zone (and i think you want it denied, so only the 3rd kind of rule)
    one for the Zywall.

  • Zyxel_James
    Zyxel_James Posts: 616  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Here is my suggestion

    1.Only VLAN70 can access WAN => Disable LAN_outgoing, and put VLAN70 to a new zone, then create a new rule for the new Zone for outgoing traffic.

    2. Block other networks and zones for access to V10LAN 70 => By default, there is no rule to block between internal interfaces, you still need to create a new rule to block from other interfaces to VLAN70

Security Highlight