Security Policy Help - Policies are not applying to traffic

ZyxelNewb
ZyxelNewb Posts: 10  Freshman Member
First Comment
edited April 2021 in Security
Hi all - I'm going to start off that my background is in Palo Alto, and I'm not familiar with the in's & outs of the Zyxel series. I'm running a USG20-VPN, and have a very simple setup. I'm running three VLAN's (10,20, and 30) on my LAN1 zone. I'm trying to setup my VLAN's so that none of the VLAN's can talk to each other, and only VLAN 10 has admin access to the router administration console. Pretty straight forward, right?  I've got all three VLAN's working properly, I can get DHCP from each subnet. I started off by trying to block VLAN 10 & 20 from each other. I setup a policy route (or so I think) to send all traffic from each VLAN out the default WAN GW as the next hop (see attached screenshots).  Then I setup a firewall policy to block any source to any destination, from VLAN 10 to VLAN 20 as the IPv4 source & destination, and then from VLAN 20 to VLAN 10 as the source and destination respectively. 






First question - is how does the zyxel process the rules? The documentation  on page 553 (ftp://ftp2.zyxel.com/USG20-VPN/user_guide/USG20-VPN_V4.32_Ed1.pdf) states that the rules are applied sequentially. I assume that once it hits the first match, it then stops processing so any additional matches do not apply?  Because I've tried putting both these rules at the top, and bottom of the policies, and it didn't make any difference for me. 

With both these rules in place, if I ping the VLAN 20 GW from a VLAN 10 client, I get replies back, and if I ping the VLAN 10 GW from a VLAN 20 client, I get replies also. I've tried changing the source and destination IPv4 from the VLAN 10 and VLAN 20 interfaces, to just another subnet object I created for those interfaces (i.e. 192.168.10.0/24 and 192.168.20.0/24 instead of the built in VLAN10 - 192.168.10.0/24 and VLAN20 - 192.168.20.0/24) and that didn't make any difference either. Both VLAN's can still talk to each other. Can you help let me know what I'm doing wrong? I'm sure I'm missing something easy and fundamental because I just don't understand the nuances of how a Zyxel works. 

I've been trying to follow this article:
http://www.crabtree-consulting.com/vlan-for-guest-wifi-on-zyxel-usg-router-with-engenius-access-points/
and looked through chapter 27 in the documentation here: 
ftp://ftp2.zyxel.com/USG20-VPN/user_guide/USG20-VPN_V4.32_Ed1.pdf

But I'm still stumped. Thanks all!

All Replies

  • ZyxelNewb
    ZyxelNewb Posts: 10  Freshman Member
    First Comment
    In addition, looking at the traffic logs filtering on my VLAN 10 client as the source, it doesn't look like any of the traffic is being passed through the firewall. Is this because VLAN 10 & VLAN 20 are both in the LAN1 zone? Do the VLAN's need to be in different zones before the firewall will inspect the traffic? 

     
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @ZyxelNewb

    Does the traffic forward by your switch?

    You can capture the packets on VLAN10 and VLAN20 interface together to make sure the traffic has forwarded by USG or not.

    (1) Go to Maintenance > Diagnostics > Packet Capture > Add interfaces as capturing member

    (2) Click capture button.

    (3) Send traffic from VLAN10 to VLAN20

    (4) Click Stop button.

    (5) You can find the packets in files tab. And you can check the packets has routed by USG or not.


  • ZyxelNewb
    ZyxelNewb Posts: 10  Freshman Member
    First Comment
    Thank you for the reply - yes, I've confirmed that the traffic is indeed being routed by the Zyxel, but the security policies are still not applying. What should my next step(s) be? Thank you!


  • ZyxelNewb
    ZyxelNewb Posts: 10  Freshman Member
    First Comment
    I stand corrected. Everything seems to be working "ok" for the most part. I was pinging the GW on the other VLAN's as a test, but I ping anything past the GW, it blocks the traffic. Can you tell me why that is? Shouldn't even the GW be blocked based on the security policies I put in place above? And why isn't the traffic showing up in the packet capture above?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @ZyxelNewb

    The destination IP of USG interface IP is belonging "ZyWALL" zone.

    So If you need to manage the traffic accessing to the  USG, the rule of destination zone should be “ZyWALL”.

    (1) Create a customized zone in object.

    Configuration > Object > Zone > User Configuration > Add VLAN10

    (2)   Change VLAN10 zone as VLAN10 zone which you added.

    Configuration > Network > Interface > VLAN > Edit VLAN10

    (3)   Add Security Policy to block VLAN to ZyWALL.

    From: VLAN10, To: ZyWALL, Action: Deny.


    This rule will drop the traffic from VLAN10 to ZyWALL.

    Then destination IP address to ZyWALL will drop successfully.

Security Highlight