Inter VLAN Policies Control Help

J_6
J_6 Posts: 1
edited July 3 in Security

Hello, I have to work with a USG-60,
The project is to do a lot of vlan in our company, at least 10, but I need inter-Vlan Routing.
Here is the plan of my problem.
For my Port N°1 i have 5 VLAN from 10 (GW : 192.168.0.254/24) for the management VLAN
11 for the production VLAN. ( GW : 192.168.1.254/24).
12 (GW : 192.168.2.254/24)
[…]
15 (GW : 192.168.5.254/24)
Here is the plan

(VLAN 10 is blue, VLAN 11 is green)
My specific need is to set up a server on VLAN 10 with a firewall rule that can let clients from VLAN11 to acces only via HTTPS and SMB the server. The server IP is 192.168.0.203 and 192.168.1.203 (i’ve choosed to add a 2nd IP so i don’t have to change on every Clients the server IP.

So here what I’ve done to test my VLAN route with my GS1900-8HP Switch:

-Desacivated the policy control by adding the first rule :

-This is how i created the VLAN :

Here is the ethernet config :

Here is the port config :

In addition to all, i’ve tested with or without SNAT, with or without static route from a Gateway or a interface. And finally I’ve tested with or without VLAN on the same Zone. And it still doesn't work :(
I really doesn’t understand where is my problem…
I hope this is understandable because i’m French, thanks you a lot for your help, merci ^_^

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,305  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @J_6 ,

    What is your problem? Please describe more details so we can better help you.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,305  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @J_6,

    I apologize for the delayed reply. Since you have set the allow-all rule for troubleshooting, I would like to know if you configured the DHCP server setting for VLAN 10 and 11.

    If yes, please help to check if the default gateway setting has been set. And clarify with the ping test.

    1. PC ping to firewall VLAN 10 interface IP address.
    2. PC ping to firewall VLAN 11 interface IP address.
    3. PC ping to PC in VLAN 11.

    In addition, the policy control rules with destination RFC1918 might cause your clients could not access the internet or other VLAN/subnet. It is recommended to remove/re-design those rules.

Security Highlight