Nebula 20.00 - How could I block multple VLANs combinations via firewall?

GiuseppeR

Hello everyone,

inside an ORG I have 4 VLANs in this moment. It is essential that all of them DO NOT connect to VLAN1 and to ZyWALL.

For this reason I went here:

So I told the firewall to block these segments:

As you can see I miss to deny VLAN20 to VLAN50, VLAN20 to VLAN30, VLAN20 to VLAN60 and so on for the rest.

The problem is that I'm going to have also VLAN80 and VLAN90 for other services.

How can I isolate all the selected VLANs without remembering all the possible combinations? This could be time saving.

For example to have a list of VLANs:

• VLAN20
• VLAN30
• VLAN40
• VLAN50
• VLAN80
• VLAN90

that could go ONLY on the web without reaching anything else (including ZyWALL) inside the network.

Please let me know if I miss something somewhere 😎

Zyxel_Tina

Hi @GiuseppeR,

To streamline your firewall rules and avoid multiple combinations, you can utilize Address Object Groups.

Instead of creating individual rules for each VLAN pair, you can:

1. Define each VLAN subnet as an Address Object.
2. Group all these objects into a single Address Object Group (e.g., Internal_VLAN_Group).
3. Create a single firewall rule: Set both the Source and Destination to that same group, and set the action to Deny.

This "Group-to-Group" rule will block inter-VLAN traffic among all members within that group using just one entry. Additionally, if you need to define specific exceptions or granular targets, you can create individual Address Objects for those destinations and prioritize them accordingly.

This gives you both the efficiency of grouping and the flexibility to manage specific traffic.