USG Flex 50W: LAN1, LAN2, DMZ and GUEST zones when interface is bridged

USG Flex 50W has four internal ethernet ports, which have default zones LAN1, LAN2, DMZ and GUEST.
It is possible to bridge those four interfaces (Network→Interface→Bridge) and associate the bridge interface (br1, internal) to it's own zone, let's call it ZONE_BRIDGE.
Now all the four ethernet ports are in same subnet defined by br1 interface and traffic between the ports is bridged, not routed.

The reason I would like to keep the devices in same subnet is to avoid routing between the zones, but still be able to segment the network traffic by firewall rules that are based on physical ports (or vlans), not ip-addresses.

In this bridged setup it appears that e.g. LAN1 zone security policies apply to traffic coming from lan1 port, which makes sense. But in this setup there's also ZONE_BRIDGE, which doesn't correspond to other types of setups, in which only one zone per interface is possible.
This leaves me slightly unsure, is this by design and should I build my lan in bridged mode, relying on this zone behavior or not?

All Replies

  • PeterUK
    PeterUK Posts: 2,393
    100 Answers 1000 Comments Friend Collector Sixth Anniversary
     Guru Member
    edited November 15

    Never done a four port bridge so have you done a routing rule br1 to next hop WAN? However auto SNAT might have done this for you.

    Also have you tested LAN1 PC can't get to LAN2 PC? And if you did want too you you still be routing between the zones have checked it does need LAN1 to LAN2 rule

    Really this is where VLAN's per subnet make sense but then you want one subnet.

    You don't have to worry about ZONE_BRIDGE its just like what a LAN1 un-bridged would be like so its the LAN gateway then you SNAT to a WAN but instead of ZONE_BRIDGE to WAN you still go from LAN1 to WAN. You can even set the bridge to no zone and your setup should still work

    The bridge can't be used in many ways it can be used passive or active

  • br1 to WAN is not a problem. It gets created automatically if bridge mode is set to internal.

    I've never done wan to lan bridge, but I believe the same question applies to that: there's a bridge with two or more physical interfaces and you set the zones accordingly. In this case, wan interface is just not included.

Security Highlight