Configure vlan in atp 200

Hoygen83
Hoygen83 Posts: 21  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security

Hello,

I have a Zyxell atp 200 firewall with 4 lan ports. and several unifi switches 16 and 24 ports.

right now I am connecting an unifi switch 16 ports to the firewall.

I would like to have:

firewall lan port 1 for vlan 1 and 20 connected to unifi switch port 1

firewall lan port 2 for vlan 10 connected to unifi switch port 2

firewall lan port 3 for vlan 30 connected to unifi switch port 3

firewall lan port 4 for vlan 40 connected to unifi switch port 4

The firewall should be giving the ip via dhcp for the vlans

In the firewall I configured:

lan 1 port to give an ip address via dhcp yyy.yyy.yyy.yyy

lan 2 port to give an ip address via dhcp aaa.aaa.aaa.aaa

lan 3 port to give an ip address via dhcp bbb.bbb.bbb.bbb

lan 4 port to give an ip address via dhcp ccc.ccc.ccc.ccc

vlan1 to give another range of addresses xxx.xxx.xxx.xxx

vlan 20 to give another range of addresses zzz.zzz.zzz.zzz

then selected for vlan 1 and vlan 20 to be on the lan 1 port of the firewal.

when i connect the swith to the firewall it gets the ip in the yyy.yyy.yyy.yyy range.

Is it the correct behaviour?

how can I check if the vlans are applied?

Kindest Regards.

Accepted Solution

All Replies

  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Comment Second Anniversary

    Thank you sir.

  • Hoygen83
    Hoygen83 Posts: 21  Freshman Member
    First Comment Second Anniversary


  • Username_is_reserved
    Username_is_reserved Posts: 107  Ally Member
    First Comment Friend Collector Fourth Anniversary
    I read that quick. I need several different Vlan Configs like:
    a) a Guest Network with limited Access from the Contend Filter, Bandwith limit,...
    b) my own Vlan who I have my stuff in it.
    c) a Vlan for Device Manangment with no Internet
    d) a Vlan for Phones who is conect to my virtual PBX and to the Internet.
    Is there a easy way for that? Currently my USG300 run with one Lan only because not all switch are Vlan ready.
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @ Username_is_reserved


    Here is example settings of VLAN

    a)   a Guest Network with limited Access from the Contend Filter, Bandwidth limit,...

    Go to Configuration > Network > Interface > VLAN to setup the settings


    Go to Configuration > Anti-X > Content Filter > General to enable content filter


    Go to Configuration > Anti-X > Content Filter > Filter Profile to create a profile for content filter

    and go to Configuration > Anti-X > Content Filter > General > Policies to add a rule for guest


    For the bandwidth limit, it can add a rule on BWM settings

    Go to Configuration > BWM to setup the settings


    b , c ,d,   Go to Configuration > Firewall > Firewall to setup the rule,

    below is the example setting to add a rule for these VLAN

    b) my own Vlan who I have my stuff in it.

    It can add a firewall rule for it


    c) a Vlan for Device Management with no Internet

    Add a rule to deny the access to the Internet


    d) a Vlan for Phones who is connect to my virtual PBX and to the Internet.

    Add a firewall rule for your phones rule



    After setup VLAN settings on USG300, it also need to setup vlan setting on switch.




  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    Interesting method to route the VLAN traffic (using the source filter). Curious if you all see pros/cons to doing that vs making each VLAN it's own Zone. For example, here is a fairly involved setup we have for a client needing extensive VLANs themselves and then VLANs for tenants in small offices they rent out:


    You can see security camera access in. They have a bench LAN that's a sort of hotzone and for a time needed to print to a LAN based printer (inactive now). Then  you see the LAN to any is gone and restricted to WAN. Then each VLAN is the same, with their own filtering profiles as needed. We just disable the VLAN and Security Policy (redundant probably) for spaces not rented out. We also use a restricted service group for the VLAN access to the Zyxel:


    And for the VLANs they are tied to their own Zone:


    This provides pretty solid isolation between the VLANs and makes management more logical since the Zone identifiers provide an easy to recognize label throughout the gateway configuration.

    Do you all see downsides to this method vs the source/destination filtering? The LAN to any always felt 'wrong' in a VLAN scenario where the VLANs needed to be islands (vs just filtered routes).
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
    HI @ itxnc

    Thanks for your sharing and yes there are different methods to achieve certain purpose.

    One is per vlan per zone, this kind of settings help administrator to easily control the rules on the device.So that all the rules can be shown on the firewall rule page, however, if there’re multiple vlans in setting, per vlan per zone may lead to multiple firewall rules that need to be managed.

    Or users can just put multiple vlans in a zone, this can help administrator to have fewer the managed firewall rules.


Security Highlight