SCR 50AXE - Firewall rules for vlan segmentation not working
Hi,
I`m trying to segment my vlans on a SCR 50AXE.
I can configure the firewall rules as per the Zyxel documentation, configuration gets pushed to the device (at least the GUI says it), but traffic is not filtered.
Also I cannot see any security gateway logs for the device in the dashboard. 🤔
Vlan information gets pushed successfully as my clients get IP addresses in their respective vlans and communication works.
Would be happy if anyone could assist me with this issue 😀
Accepted Solution
-
Dear @sandro1
After a thorough review of your configuration and the device specifications, I would like to clarify that the SCR 50AXE's Security Policy does not support traffic control between different VLANs. While the device supports VLAN interfaces, the firewall functionality is not designed to filter traffic between these VLANs.
To achieve network segmentation, we recommend using the Guest feature on the interface settings. This will allow clients within the same Guest networks to communicate with each other while blocking connections to different subnets and the main LAN.
We apologize for any confusion this may have caused.
If you have any further questions or need additional clarification, please don't hesitate to ask.
Engage in the Community, become an MVP, and win exclusive prizes!
Nami
0
All Replies
-
Hi @sandro1
We'd like to clarify a few points to better assist you:
Regarding the VLAN segment, we're assuming you have already configured the VLANs on your switch and are now looking to limit traffic for these VLAN clients through the SCR 50AXE, such as prohibiting VLAN 10 to VLAN 20 on SCR 50AXE. Is this understanding correct?
You may enable Zyxel Support Access which will allow us to examine your setup in detail and provide more accurate assistance.
Also I cannot see any security gateway logs for the device in the dashboard.
⇒ Kindly note that if there are no incidents relating to threat management, the event log won't show any entries.
Engage in the Community, become an MVP, and win exclusive prizes!
Nami
0 -
Hi,
yes, your understanding is correct.
Ok, I`ll enable the support option right now.
Regarding the logs, ok, but shouldn`t I see any Firewall logs if traffic hits my rules?
0 -
Hi @sandro1
Thank you for enabling the Zyxel support access and for your follow-up question. Let me address both your security policy and the logging concerns:
- Security Policy: Your first rule (Allow) targets a specific IP (192.168.254.254), while all other rules (Deny) target a broader range (192.168.0.0/16). Since the rule order is processed top-down, the "Allow" rule from "Any" source to 192.168.254.254 would bypass other restrictions.
- Firewall Logs: The SCR 50AXE is designed primarily for threat management, and its event log reflects this focus. Consequently, the event log shows only threat management logs, not detailed firewall logs.
Engage in the Community, become an MVP, and win exclusive prizes!
Nami
0 -
Hi,
thank you for your answer, the first rule is fine. The issue is that Im able to access a web server from vlan 10 thats hosted on a device in vlan 20.
As per the configured rules this should not be possible. Also, if I put a deny in the first rule, Traffic is still allowed. (Even after rebooting the security gateway)
I guess the logging functionality of the Security Gateway should tell me if traffic hits a deny rule?
0 -
don't have a SCR 50AXE but would the VLAN's be on there own zone or are they on the same zone?
0 -
Hi Peter,
thats a good question, for the SCR 50AXE I haven‘t seen any possibility to define a zone. I just can configure 5 different vlans. Also, I tried to access the vlans via different physical LAN interfaces of the Security Gateway, but it seems that each interface gets treated as a trunk that allows all vlans with native vlan as 1. So my test client ended up in the management vlan. (currently I just have one switch connected via a trunk to the security gateway) I havent seen any possibilty to configure the single LAN interfaces of the Security Gateway. Maybe I miss something?
Thanks for your support!
0 -
Maybe the point of the SCR 50AXE is its simple and LANs are all trusted routing between them?
0 -
from what I read in its datasheet, Firewalling should be possible. I guess it would not make sense to support 5 vlans without having the possibility to filter between them 🤔 (sure, the broadcast doman can be kept smaller, but for such a deployment I cant imagine that someone puts so much devices that this makes any difference)
Maybe I will try to reset the box and verify again.
0 -
Dear @sandro1
After a thorough review of your configuration and the device specifications, I would like to clarify that the SCR 50AXE's Security Policy does not support traffic control between different VLANs. While the device supports VLAN interfaces, the firewall functionality is not designed to filter traffic between these VLANs.
To achieve network segmentation, we recommend using the Guest feature on the interface settings. This will allow clients within the same Guest networks to communicate with each other while blocking connections to different subnets and the main LAN.
We apologize for any confusion this may have caused.
If you have any further questions or need additional clarification, please don't hesitate to ask.
Engage in the Community, become an MVP, and win exclusive prizes!
Nami
0 -
Maybe Guest should be renamed to like Isolation?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight