Reply
New Member
Posts: 26
Registered: ‎05-19-2016
Accepted Solution

USG 3P - traffic between VLANs

Hi,

 

My equipment is an USG 3P -> US 8-150 -> some APs

 

i have

- one Guest WIFI VLAN10      

- one admin WIFI VLAN 20

- one wired network for user VLAN30

- one wired Management network VLAN40

 

the ports are tagged on switch

only the uplink port 1 ist trunk

 

But i have detected that only VLANs with guest setup are isolated.

The "Not Guest" VLANs have full acces to each others.

Is there a msitake i made?

Or which firewall rules do i have to create. 

 

 

??Firewall Rules  WAN LOCAL ??

 

 


Accepted Solutions
Member
Posts: 183
Registered: ‎10-27-2016
Kudos: 38
Solutions: 12

Re: USG 3P - traffic between VLANs

All VLANs except Guest have full access to each other by default.  I block default LAN to my "Smart Devices" VLAN with the following rule in "LAN IN":

 

Action: Reject

Protocol: All

Source:

  Network: LAN

  Type: NETv4

Destination:

  Network: Smart Devices

  Type: NETv4

 

You can have an allow rule for specific IP and port ranges above that, which will allow some but block all.

 

You can also block specific ports or port ranges in the same "LAN IN" ruleset. For example, I block iSCSI traffic into and out of the VLAN with my Synology on it.

View solution in original post

Highlighted
Member
Posts: 183
Registered: ‎10-27-2016
Kudos: 38
Solutions: 12

Re: USG 3P - traffic between VLANs

NETv4 is short for the IPv4 Network Assigned to the interface.  ADDRv4 is the single gateway address.  So the difference is really this:

  • If your LAN is 192.168.1.1/24 (192.168.1.1-254), then ADDRv4 would block everything in the range 192.168.1.1-254.
  • ADDRv4 is the address of the router that is the gateway (eg 192.168.1.1).

View solution in original post


All Replies
Member
Posts: 183
Registered: ‎10-27-2016
Kudos: 38
Solutions: 12

Re: USG 3P - traffic between VLANs

All VLANs except Guest have full access to each other by default.  I block default LAN to my "Smart Devices" VLAN with the following rule in "LAN IN":

 

Action: Reject

Protocol: All

Source:

  Network: LAN

  Type: NETv4

Destination:

  Network: Smart Devices

  Type: NETv4

 

You can have an allow rule for specific IP and port ranges above that, which will allow some but block all.

 

You can also block specific ports or port ranges in the same "LAN IN" ruleset. For example, I block iSCSI traffic into and out of the VLAN with my Synology on it.

New Member
Posts: 26
Registered: ‎05-19-2016

Re: USG 3P - traffic between VLANs

Thank you for the Tipp.

I try it out

 

Roland

Member
Posts: 183
Registered: ‎10-27-2016
Kudos: 38
Solutions: 12

Re: USG 3P - traffic between VLANs

No problem. Just make sure you get the NETv4 setting correct. I've seen other people have issue with blocking traffic only to discover they had selected ADDRv4.
New Member
Posts: 26
Registered: ‎05-19-2016

Re: USG 3P - traffic between VLANs

a first lttle test looks good Smiley Very Happy

 

in a few words:  was ist the differnce between AddrV4 and NetV4?

Highlighted
Member
Posts: 183
Registered: ‎10-27-2016
Kudos: 38
Solutions: 12

Re: USG 3P - traffic between VLANs

NETv4 is short for the IPv4 Network Assigned to the interface.  ADDRv4 is the single gateway address.  So the difference is really this:

  • If your LAN is 192.168.1.1/24 (192.168.1.1-254), then ADDRv4 would block everything in the range 192.168.1.1-254.
  • ADDRv4 is the address of the router that is the gateway (eg 192.168.1.1).
Reply