Segregate Traffic on LAN1 and LAN2

Options
budmaniac
budmaniac Posts: 6
First Anniversary First Comment

I have a USG Flex 200 with the latest firmware. I have two networks, one for home and one for work. Home network is connected to LAN1. Work network is connected to LAN2. Lately, I have been able to see devices from my home network when looking at my work network router. Although I cannot ping anything between the two sides, I am noticing that some devices connected directly to my work network are getting DHCP assigned addresses from my home network. My security polices for both LAN1 and LAN2 are for LAN to WAN only access. What do I need to do so as to completely segregate these networks?

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,101  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @budmaniac

    Regarding your description, once you set LAN1 to WAN and LAN1 to WAN2 security policies, the traffic from LAN1 to LAN2 or LAN2 to LAN1 shall be dropped by the last default security policy. If the client is on LAN2 but still can get the DHCP IP from LAN1, please check if the network cabling is correct in your environment. Thanks.

All Replies

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 5
    Options

    It sounds like you have one unmanaged switch and you connected LAN1 and LAN2 to it?

  • budmaniac
    budmaniac Posts: 6
    First Anniversary First Comment
    Options

    I will have to check to see if that is happening. I should not have anything from my work network connected to the switch on my home network. There is definitely not anything from my home network connected to my work switch. My connections are supposed to be as follows.

    Internet → WAN1

    LAN1 → Managed switch, but no restrictions on the ports.

    Home Network → Connected to managed switch

    LAN2 → router (Meraki MX-64) from work network. Single run

    Work network - Connected to fully managed switch (Meraki MS220-24P)

    Multiple WAPs for each network, but no duplicate SSIDs. No possibility that any are misconnected to the incorrect network.

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So your saying unplug LAN2 on FLEX that work network are getting DHCP assigned addresses from my home network LAN1?

  • budmaniac
    budmaniac Posts: 6
    First Anniversary First Comment
    Options

    No. Both LAN1 and LAN2 are plugged into the FLEX, but with different subnets, etc. They should be logically segregated. However, devices on LAN2 are getting IP addresses from LAN1.

    I have since added two rules. It is too soon to determine if they solved my issue. But I still have Internet access on both LANs.

    Source - LAN1, Destination - LAN2, Action - Deny

    Source - LAN2, Destination - LAN1, Action - Deny

    Thanks for your input so far.

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    yes but if you did unplug LAN2 on the flex you should not get a IP from LAN1

  • budmaniac
    budmaniac Posts: 6
    First Anniversary First Comment
    Options

    I would assume that is a true statement. I can try that after hours. But that would only prove what I already know. Hence the additional rules to prevent cross talk between the rules. I just don't know why this started and if there is a better way to prevent.

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 5
    Options

    Is port role setup to the port for zone/LAN?

  • budmaniac
    budmaniac Posts: 6
    First Anniversary First Comment
    Options

    Now we are getting somewhere. I am not familiar with the settings you have mentioned.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,101  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @budmaniac

    Regarding your description, once you set LAN1 to WAN and LAN1 to WAN2 security policies, the traffic from LAN1 to LAN2 or LAN2 to LAN1 shall be dropped by the last default security policy. If the client is on LAN2 but still can get the DHCP IP from LAN1, please check if the network cabling is correct in your environment. Thanks.

Security Highlight