zywall 110 VLAn routing to internet but not to main LAN

zonkerpro
zonkerpro Posts: 10
First Comment Third Anniversary
edited April 2021 in Security
just tring to get an outline for setting up a tagged VLAN that routes to the internet but not to the default LAN. Mucked with VLANS before and always seem to miss something. Basically I want to tag Credit Card machines with a VLAN and keep them seperate from the office but able to route out to the WLAN

any advice would be appreciated, thanks

All Replies

  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    So have you got a switch setup with VLAN tags of Credit Card machines?

    You can use LAN1 as a base port to the switch port with the tagged VLAN and Credit Card machines that are connected to the switch untagged which tags out the port to zywall 110 lan1.

    What you want to do first is make a new zone in object > zone then go to VLAN in network > interface > VLAN select:
    interface type = internal
    interface name =
    zone = the zone you made
    VLAN ID =
    setup the IP and DHCP thats not going to conflict with anything

    In network > interface > routing add:
    incoming = Interface
    member = the zone name
    next hop
    type = interface
    interface = WAN1

    Then make a a firewall rule from zone name to WAN
  • zonkerpro
    zonkerpro Posts: 10
    First Comment Third Anniversary
    Mostly makes  sense; thanks. but...

    "You can use LAN1 as a base port to the switch port with the tagged VLAN and Credit Card machines that are connected to the switch untagged which tags out the port to zywall 110 lan1."

    Not sure I get this.  I am not going to be able to run dedicated lines to the CCs so I was hoping to have the existing network devices be the default VLAN and tag traffic manually from the CC machine with VLAN 100 or something like that. Not really sure what you were describing above.

    tw
  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If you don't have a switch with VLAN support to the CCs you can't do it.

    I take it the CCs are connected by wire to a unmanaged switch?
  • zonkerpro
    zonkerpro Posts: 10
    First Comment Third Anniversary
    no;there is a managed switch there...ugh. I hate being daft... 
    ok.  so I can tag the traffic at the switch, i don't have to at the cc device.

    With that in mind I still don't get this --> "You can use LAN1 as a base port to the switch port with the tagged VLAN and Credit Card machines that are connected to the switch untagged which tags out the port to zywall 110 lan1."
  • PeterUK
    PeterUK Posts: 3,507  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 2021

    So your managed switch has no VLAN's set yet? If all ports are set to VLAN ID 1 untagged you need to set Forbidden for VLAN ID 1 of the ports to the CCs you then need to make a new VLAN ID say 500 set the port that goes to the zywall 110 as tagged with PVID 1 (no need to set the PVID as VLAN 500 as set to tag) set the PVID ports for the CCs to 500 and untag because the CCs are likely untag which will tag out the port to the zywall 110.

    Then all you need to do is make a VLAN on zywall 110 routeing rule and firewall rule with your managed switch to LAN1 on the zywall 110 is now VLAN 500 for your CCs.



Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)