USG LITE 60AX vlan firewalling

best_heygman
best_heygman Posts: 6  Freshman Member
First Comment
in Security

Hello, just a quick question: Does the USG LITE 60AX support firewall rules between vlans that are on the lan side of the device other than then the toggle for "Guest Network"?

I know that the SCR 50AX can't do that, because I have a SCR 50AX and I have tried and there was also a question about this on the forum. But I couldn't find this information in regards to the USG LITE 60AX.

Best Answers

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,035  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @best_heygman,

    USG Lite 60AX supports entering customized IP addresses/CIDRs to allow/deny traffic.

    For example, my LAN is 192.168.100.0/24 and my VLAN 10 is 192.168.10.0/24. Here's my policy to block these two subnets from communicating:

    image.png

    In addition, you need to set two denial rules for this purpose.

    Zyxel Melen


  • best_heygman
    best_heygman Posts: 6  Freshman Member
    First Comment
    Answer ✓

    And the rules also work and block the traffic? I can create rules between vlans also on the SCR 50AXE, they just don't do anything. Same as with this user here: https://community.zyxel.com/en/discussion/24318/scr-50axe-firewall-rules-for-vlan-segmentation-not-working/p1

All Replies

  • PeterUK
    PeterUK Posts: 3,676  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    It might be best to look at FLEX H models

  • best_heygman
    best_heygman Posts: 6  Freshman Member
    First Comment

    Yeah, I thought about the Flex 50H. The thing is that the firewall is for home use and Web Content Filtering is important. With the lite 60ax I would be at 200€ for the device and 50€/year for the content filter license. That's ok for home use.

    With the flex 50h I would be at 450€ for the device plus 200€ for an access point plus a couple of hundred Euros for the gold pack license per year, because web filtering is not available on the entry defense pack.

    You know, I can't explain that I have to spend that much money just to properly firewall my old laptop that acts as a server. If web filtering was in the entry defense license, then maybe. But the gold license is kinda much.

  • best_heygman
    best_heygman Posts: 6  Freshman Member
    First Comment
    edited March 22

    I think if the LITE 60AX doesn't allow for firewall rules between the vlans, I'd build something like:

    Internet - SCR50AX - DMZ - LITE60AX - Home

    Rather than buying a Flex H + acces point + gold license.

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,035  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @best_heygman,

    USG Lite 60AX supports entering customized IP addresses/CIDRs to allow/deny traffic.

    For example, my LAN is 192.168.100.0/24 and my VLAN 10 is 192.168.10.0/24. Here's my policy to block these two subnets from communicating:

    image.png

    In addition, you need to set two denial rules for this purpose.

    Zyxel Melen


  • best_heygman
    best_heygman Posts: 6  Freshman Member
    First Comment
    Answer ✓

    And the rules also work and block the traffic? I can create rules between vlans also on the SCR 50AXE, they just don't do anything. Same as with this user here: https://community.zyxel.com/en/discussion/24318/scr-50axe-firewall-rules-for-vlan-segmentation-not-working/p1

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)