Segregate Traffic on LAN1 and LAN2
I have a USG Flex 200 with the latest firmware. I have two networks, one for home and one for work. Home network is connected to LAN1. Work network is connected to LAN2. Lately, I have been able to see devices from my home network when looking at my work network router. Although I cannot ping anything between the two sides, I am noticing that some devices connected directly to my work network are getting DHCP assigned addresses from my home network. My security polices for both LAN1 and LAN2 are for LAN to WAN only access. What do I need to do so as to completely segregate these networks?
Accepted Solution
-
Hi @budmaniac
Regarding your description, once you set LAN1 to WAN and LAN1 to WAN2 security policies, the traffic from LAN1 to LAN2 or LAN2 to LAN1 shall be dropped by the last default security policy. If the client is on LAN2 but still can get the DHCP IP from LAN1, please check if the network cabling is correct in your environment. Thanks.
0
Zyxel Employee
All Replies
-
It sounds like you have one unmanaged switch and you connected LAN1 and LAN2 to it?
0 -
I will have to check to see if that is happening. I should not have anything from my work network connected to the switch on my home network. There is definitely not anything from my home network connected to my work switch. My connections are supposed to be as follows.
Internet → WAN1
LAN1 → Managed switch, but no restrictions on the ports.
Home Network → Connected to managed switch
LAN2 → router (Meraki MX-64) from work network. Single run
Work network - Connected to fully managed switch (Meraki MS220-24P)
Multiple WAPs for each network, but no duplicate SSIDs. No possibility that any are misconnected to the incorrect network.
0 -
So your saying unplug LAN2 on FLEX that work network are getting DHCP assigned addresses from my home network LAN1?
0 -
No. Both LAN1 and LAN2 are plugged into the FLEX, but with different subnets, etc. They should be logically segregated. However, devices on LAN2 are getting IP addresses from LAN1.
I have since added two rules. It is too soon to determine if they solved my issue. But I still have Internet access on both LANs.
Source - LAN1, Destination - LAN2, Action - Deny
Source - LAN2, Destination - LAN1, Action - Deny
Thanks for your input so far.
0 -
yes but if you did unplug LAN2 on the flex you should not get a IP from LAN1
0 -
I would assume that is a true statement. I can try that after hours. But that would only prove what I already know. Hence the additional rules to prevent cross talk between the rules. I just don't know why this started and if there is a better way to prevent.
0 -
Is port role setup to the port for zone/LAN?
0 -
Now we are getting somewhere. I am not familiar with the settings you have mentioned.
0 -
Hi @budmaniac
Regarding your description, once you set LAN1 to WAN and LAN1 to WAN2 security policies, the traffic from LAN1 to LAN2 or LAN2 to LAN1 shall be dropped by the last default security policy. If the client is on LAN2 but still can get the DHCP IP from LAN1, please check if the network cabling is correct in your environment. Thanks.
0
Guru Member
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
