Zywall USG 110 blocking Port

monneyla
monneyla Posts: 10
First Comment
edited April 2021 in Security

hi,

I connected a NAS (IP address 192.168.0.20) on the PORT7 of my Zywall USG 110 ans I would like to block access from anywhere between 2PM and 10PM. I have as rule in my firewall:

FROM: any

TO: LAN1

IPv4 SOURCE: any

IPv4 DESTINATION: 192.168.0.20

SERVICE: any

USER: any

SCHEDULE: from 2PM to 10PM

ACTION: deny

LOG: log

but it does not work. I can access 192.168.0.20 anytime, especially during the blocked frame time (2PM-10PM).

thanks for your help.

All Replies

  • PeterUK
    PeterUK Posts: 2,706  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Port 7 on the Zywall 110 is set for DMZ by default so you need to change your rule for TO: DMZ

  • monneyla
    monneyla Posts: 10
    First Comment

    hi,

    thanks for your quick answer. but I changed the P7 from DMZ to LAN1 (subnet 192.168.0.xx). so it should work that way right ? or the P7 HAS TO BE in DMZ zone to make the firewall wok properly?

    regards.

  • PeterUK
    PeterUK Posts: 2,706  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    hmm yes if you changed the port to LAN1 it should work

    What firmware are you on?

    If you have FROM any and TO any does that work?

    Are you trying the block from LAN1 or from the internet? as from LAN1 might not be possible because ports P4 and P7 ack as a switch before the ZyWALL but if you put it in its own LAN2 subnet you can firewall it.

  • monneyla
    monneyla Posts: 10
    First Comment

    hi,

    1. firmware version: 4.35(AAPH.3)
    2. FROM any and TO any does that work? -> no, nothing is blocked
    3. Are you trying the block from LAN1 or from the internet? -> tried both: nothing is blocked
    4. if you put it in its own LAN2 subnet you can firewall it: OK ,but I won't have any access to my NAS (LAN2: 192.168.1.xx) from my PC (LAN1: 192.168.0.xx). And I need to have this access for the backup. The connection must be blocked within a shedule frame only.
    5. It is anyway incredible that with 2 devices directly connected to the USG110 ports, on the same LAN, you cannot apply a firewall rule, especially since it it possible to create a LANx to LANx rule in the firewall without any warning indicating you that this rule is not functionning..

    anyways, thank for your help.

  • monneyla
    monneyla Posts: 10
    First Comment

    ...I even tried to put this firewall rule at the first position in the firewall:

    FROM: LAN1

    TO: LAN1

    ipv4 SOURCE: ANY

    IPv4 DESTINATION: ANY

    SERVICE: ANY

    USER: ANY

    SCHEDULE: NONE

    ACTION: DENY

    -> nothing is blocked in the LAN1. I can access every devices in the LAN1 from my PC also in LAN1.... :-(

    I am desapointed...

  • PeterUK
    PeterUK Posts: 2,706  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    no doubt you have a switch to the ZyWALL or ports P4 to P7 to LAN1 so traffic on the switch can connect to each other unless you do VLAN's on the Zywall with a VLAN switch.

    If you have LAN1 as 192.168.0.0/24 and a port with LAN2 192.168.1.0./24 you can firewall from subnets.

  • monneyla
    monneyla Posts: 10
    First Comment

    ok. thanks a lot for your professional answer !?️

    regards.

  • monneyla
    monneyla Posts: 10
    First Comment

    ...well a last question: how do I do to make my PC on LAN1 as 192.168.0.0/24 can access the NAS on another subnet with LAN2 192.168.1.0./24 ? They cannot see each other ?

  • PeterUK
    PeterUK Posts: 2,706  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    Just another way you can do the block is to get a managed switch.

    As to your question its done by the gateway when you have a NAS on 192.168.1.50 and a PC with 192.168.0.20 you just connect to the NAS by 192.168.1.50 which sends it to the LAN1 192.168.0.1 gateway which then sends it out LAN2 to the NAS at 192.168.1.50 the NAS with gateway 192.168.1.1 sends it to the LAN2 192.168.1.1 gateway and then sends it out LAN1 back to the PC on 192.168.0.20.

    You just make a rule for FROM LAN1 TO LAN2 allow all with another rule above that being your block for the time.

  • monneyla
    monneyla Posts: 10
    First Comment

    ok. thanks a lot Peter. Take care.

Security Highlight