SCR 50AXE - Firewall rules for vlan segmentation not working

sandro1
sandro1 Posts: 7  Freshman Member
First Comment Friend Collector

Hi,

I`m trying to segment my vlans on a SCR 50AXE.

I can configure the firewall rules as per the Zyxel documentation, configuration gets pushed to the device (at least the GUI says it), but traffic is not filtered.

Also I cannot see any security gateway logs for the device in the dashboard. 🤔

Vlan information gets pushed successfully as my clients get IP addresses in their respective vlans and communication works.

Would be happy if anyone could assist me with this issue 😀

Accepted Solution

  • Zyxel_Nami
    Zyxel_Nami Posts: 656  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited July 31 Answer ✓

    Dear @sandro1

    After a thorough review of your configuration and the device specifications, I would like to clarify that the SCR 50AXE's Security Policy does not support traffic control between different VLANs. While the device supports VLAN interfaces, the firewall functionality is not designed to filter traffic between these VLANs.

    To achieve network segmentation, we recommend using the Guest feature on the interface settings. This will allow clients within the same Guest networks to communicate with each other while blocking connections to different subnets and the main LAN.

    We apologize for any confusion this may have caused.

    If you have any further questions or need additional clarification, please don't hesitate to ask.

    Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP

    Nami

«1

All Replies

  • Zyxel_Nami
    Zyxel_Nami Posts: 656  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited July 22

    Hi @sandro1

    We'd like to clarify a few points to better assist you:

    Regarding the VLAN segment, we're assuming you have already configured the VLANs on your switch and are now looking to limit traffic for these VLAN clients through the SCR 50AXE, such as prohibiting VLAN 10 to VLAN 20 on SCR 50AXE. Is this understanding correct?

    You may enable Zyxel Support Access which will allow us to examine your setup in detail and provide more accurate assistance.

    Also I cannot see any security gateway logs for the device in the dashboard.

    ⇒ Kindly note that if there are no incidents relating to threat management, the event log won't show any entries.

    Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP

    Nami

  • sandro1
    sandro1 Posts: 7  Freshman Member
    First Comment Friend Collector
    edited July 22

    Hi,

    yes, your understanding is correct.

    Ok, I`ll enable the support option right now.

    Regarding the logs, ok, but shouldn`t I see any Firewall logs if traffic hits my rules?

  • Zyxel_Nami
    Zyxel_Nami Posts: 656  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @sandro1

    Thank you for enabling the Zyxel support access and for your follow-up question. Let me address both your security policy and the logging concerns:

    1. Security Policy: Your first rule (Allow) targets a specific IP (192.168.254.254), while all other rules (Deny) target a broader range (192.168.0.0/16). Since the rule order is processed top-down, the "Allow" rule from "Any" source to 192.168.254.254 would bypass other restrictions.
    2. Firewall Logs: The SCR 50AXE is designed primarily for threat management, and its event log reflects this focus. Consequently, the event log shows only threat management logs, not detailed firewall logs.

    Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP

    Nami

  • sandro1
    sandro1 Posts: 7  Freshman Member
    First Comment Friend Collector

    Hi,

    thank you for your answer, the first rule is fine. The issue is that Im able to access a web server from vlan 10 thats hosted on a device in vlan 20.

    As per the configured rules this should not be possible. Also, if I put a deny in the first rule, Traffic is still allowed. (Even after rebooting the security gateway)

    I guess the logging functionality of the Security Gateway should tell me if traffic hits a deny rule?

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    don't have a SCR 50AXE but would the VLAN's be on there own zone or are they on the same zone?

  • sandro1
    sandro1 Posts: 7  Freshman Member
    First Comment Friend Collector

    Hi Peter,

    thats a good question, for the SCR 50AXE I haven‘t seen any possibility to define a zone. I just can configure 5 different vlans. Also, I tried to access the vlans via different physical LAN interfaces of the Security Gateway, but it seems that each interface gets treated as a trunk that allows all vlans with native vlan as 1. So my test client ended up in the management vlan. (currently I just have one switch connected via a trunk to the security gateway) I havent seen any possibilty to configure the single LAN interfaces of the Security Gateway. Maybe I miss something?

    Thanks for your support!

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe the point of the SCR 50AXE is its simple and LANs are all trusted routing between them?

  • sandro1
    sandro1 Posts: 7  Freshman Member
    First Comment Friend Collector
    edited August 2

    from what I read in its datasheet, Firewalling should be possible. I guess it would not make sense to support 5 vlans without having the possibility to filter between them 🤔 (sure, the broadcast doman can be kept smaller, but for such a deployment I cant imagine that someone puts so much devices that this makes any difference)

    Maybe I will try to reset the box and verify again.

  • Zyxel_Nami
    Zyxel_Nami Posts: 656  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited July 31 Answer ✓

    Dear @sandro1

    After a thorough review of your configuration and the device specifications, I would like to clarify that the SCR 50AXE's Security Policy does not support traffic control between different VLANs. While the device supports VLAN interfaces, the firewall functionality is not designed to filter traffic between these VLANs.

    To achieve network segmentation, we recommend using the Guest feature on the interface settings. This will allow clients within the same Guest networks to communicate with each other while blocking connections to different subnets and the main LAN.

    We apologize for any confusion this may have caused.

    If you have any further questions or need additional clarification, please don't hesitate to ask.

    Engage in the Community, become an MVP, and win exclusive prizes! https://bit.ly/Community_MVP

    Nami

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe Guest should be renamed to like Isolation?

Security Highlight