[USG Flex H] - Cannot use Policy Control between devices in the same Zone

Options
13

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,356 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    https://community.zyxel.com/en/discussion/comment/82588#Comment_82588

    I will check it and keep you posted.

    Zyxel Melen


  • Maverick87
    Maverick87 Posts: 85 image  Ally Member
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/82589#Comment_82589

    Hi @Zyxel_Melen ,

    Yes, this is the MAIN Wifi, on this AP is connected all the PCs/Phone and also the printer.

    Over this I've created a VLAN Interface and a Bridge over this VLAN:

    image.png

    On this I've created this Policy rule:

    image.png

    But seems not work, the hint is 0 and from a Wifi PC I can ping and browse the printer (as mentioned before the PC and the printer are in the same AP).

    Also I use an external 2.5Gbit switch, in which

    • Port 1 is the Firewall uplink
    • Port 2 is the AP uplink

    The configuration of the switch is that the VLAN 10 is Tagged on port 2 and port 1. The switch uses only VLAN as bridged mode (switching level); in this case the switch ack as "paper pusher", take a tagged packet on port 2 are redirect on port 1.

    image.png

    So in this case, when the switch receive the VLAN 10 on port 2, send the tag on port 1.

    Thank you

  • Maverick87
    Maverick87 Posts: 85 image  Ally Member
    First Comment Friend Collector

    I've tried to "eliminate" the external switch, attaching the AP directly into the P2 port of firewall.

    Never in this case the Policy rule works, 0 hits and my PC continue to "see" the printer.

  • PeterUK
    PeterUK Posts: 4,335 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    You need proxy ARP support on the FLEX H to do what you want.

  • Maverick87
    Maverick87 Posts: 85 image  Ally Member
    First Comment Friend Collector
    edited January 6
    https://community.zyxel.com/en/discussion/comment/82594#Comment_82594

    OK and how I can enable the proxy ARP support on the FLEX H?

    With this?
    vrf main interface ethernet test network-stack ipv4 arp-proxy true

    The difference, in my case is interface bridge WLANBridge.

    Is this corrent? Can I delete the bridge and leave only the VLAN?

    Thank you

  • PeterUK
    PeterUK Posts: 4,335 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited January 6

    As said option does not seem to work yet on FLEX H you also don't need to use a Bridge.

    On non H models you can set interface to general to get the proxy ARP

  • Maverick87
    Maverick87 Posts: 85 image  Ally Member
    First Comment Friend Collector

    Hi @Zyxel_Melen ,

    can you release a private firmware with a working Proxy ARP function?

    My FW is the 200HP.

    Thank you

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,356 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Maverick87

    Please hold on. I think this issue is less related with the firewall since the PC and the printer are connected to the same AP and same SSID. In this case, AP will directly forward the traffic to each other because it can find these clients on its client/station list. It don't need to pass to the firewall since they are in the same IP subnet. The communication doesn't need routing, just only forwarding.

    https://community.zyxel.com/en/discussion/comment/82582#Comment_82582

    However, you mentioned that the Intra-BSS traffic blocking function is not working; this is strange, AP should block the communication. Could you help to take a screenshot for the station info or collect a diagnostic file? So I can check the config and the station info.

    Zyxel Melen


  • Maverick87
    Maverick87 Posts: 85 image  Ally Member
    First Comment Friend Collector
    edited January 7

    Hi @Zyxel_Melen ,

    sure. Tell me what you need specifically and what I should do.

    Anyway, if I use fing on my phone, that is also connected to the same WLAN of the printer, fing found only:
    - 10.1 (Firewall)
    - 10.X (local ip of the Phone)
    - 10.250 (the printer)

    In the WLAN is also present another Phone and the MacBook.

    If I use the fing app on my Macbook, I found only:
    - 10.1 (firewall)
    - 10.x (local IP of the MacBook)
    - 10.250 (the printer)

    So seems the intra-BSS block works, but only for some devices.
    If from the Macbook I try to ping the phone, the ping don't success.
    If I disable the intra-BSS blocking, the ping from the MacBook to the phone, success, and also the fing app is able to see the new device.

    So there is somethings with the printer (the only one that "ignore" the intra-BSS block).

    Anyway this, not help with the primarily problem, how block "same VLAN" packets?

    Thank you

  • PeterUK
    PeterUK Posts: 4,335 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited January 7

    The reason you might be finding the printer with Intra-BSS traffic blocking could be that this is done by network discovery packets are not ARP or unicast such that there are likely UDP (multicast/broadcast) which Intra-BSS traffic blocking my not block but when you ping that is unicast plus ARP at the AP level does not send to other connected clients on the same SSID with Intra-BSS traffic blocking.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)