Menu
What's new
By:
Filters Better Search

ZyWALL USG 20 VLAN Security Setup

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

abignet

Occasional Visitor
Greetings,

I'm hoping someone can help me with setting up a secure VLAN on my ZyXEL ZyWALL USG 20 as I'm having some difficulty figuring out what I am missing (and the documentation is unfortunately not very helpful in this instance).

I am on Firmware Version 3.00(BDQ.2) / 1.14 / 2012-05-03 20:29:02.

My goal is to have two networks that are completely separate from each other (ie, can not see or talk to one another). One network contains sensitive data, and the other is to be a wifi network (so access to the internet, but no access to the other network).

Here is my setup...
  • Network A is on LAN1, and port2. On Configuration->Network->Interface->Ethernet (tab) LAN1 has an IP of 192.168.0.1. Network A has been running fine for a few years and the devices can all interact with each other appropriately.
  • Network B is on LAN2, and port5. On Configuration->Network->Interface->Ethernet (tab) LAN2 has an IP of 192.168.2.1. Network B has a single Wifi device (a wifi router, setup to act solely as an Access Point, using this helpful tutorial) connected to it. The Access Point is working correctly and I can connect to the Internet, but unfortunately I can also see and connect to the computers on Network A, which is not what I want.

Here are the VLAN settings I have tried...

On Configuration->Network->Interface->VLAN (tab):
I created a new VLAN interface (named vlan1).
Interface Type: general (there is also internal and external but I can't find any documentation as to what these do. The help bubble indicates that when internal or external is used "the device will add corresponding default route and SNAT settings." That seems relevant, but I'm not grasping what to do with it.
Zone: I have tried setting this to LAN2 or to VLAN1 (more on this below). I suspect that my issues relate to Zones somehow.
Base Port: LAN2.
IP Address Assignment: Get Automatically.
DHCP Setting: None.

On Configuration->Network->Zone:
I created a separate Zone called VLAN1, to which I added the interface vlan1. Originally I think that vlan1 was a member of the LAN2 Zone along with the lan2 interface. With all of these (and including LAN1 Zone) I have tried turning on "Block Intra-zone Traffic" but that still doesn't prevent devices on Network B from seeing and connecting to devices on Network A.

On Configuration->Firewall:
I added a rule that anything from VLAN1 to LAN1 should be denied. I also tried adding in that the Source be from LAN2_SUBNET. Neither seemed to have any effect.

My best guess is that I need some combination of Zone settings and Firewall settings in order to achieve the security for Network A that I desire. But unfortunately I'm not yet grasping how this all works. I set up a VLAN on an RV042 a while back and I think that was pretty straight forward (I think I could set it to be port-based and that was mostly all I had to do).

Any help, suggestions, links to resources, etc. are all greatly appreciated!

Thanks!
:)
 
I have never used a ZyXEL ZyWALL USG 20 but I would think you would need to create 2 vlans, maybe vlan1 and vlan2. You also need to figure out which vlan is the default vlan which is usually the mangement vlan. It sounds like to me you have not created 2 vlans and that is why you can see the other devices.
 
coxhaus said:
I have never used a ZyXEL ZyWALL USG 20 but I would think you would need to create 2 vlans, maybe vlan1 and vlan2.
Click to expand...
Thanks much for that suggestion! I looked into that some and it was looking like I was going to have to add additional internal IP addresses (as it seems that the ZyWALL wants each VLAN to have its own IP, in addition to the port-based IPs) and potentially then I was going to have to switch around how I was using IPs. Since that sounded like a potential mess I went back to messing around with Firewall rules and figured out something that seems to be working (without relying on VLANs at all).

I created the following rule (in Configuration->Firewall):
From: LAN2; To: LAN1; deny.

And then I followed the tips here (https://secure.dslreports.com/forum/r27752308-Secure-your-USG-quick-how-to) in order to secure the Admin area (see #5 "Restrict access to USG web management pages") so that only LAN1 can login to the Admin area (which is of course password protected as well).

So at this point I think I'm all set (unless I've overlooked something). If anyone happens to read this and have suggestions for things I should check on to ensure my security goals those tips are certainly welcome and appreciated. :)

Thanks!
 
Normally you set up a vlan with a different network so I think you are interpreting it correctly. When you have separate networks they will not be able to access each other without routing which is what you want.
 
You must log in or register to reply here.

Similar threads

O
Asus Mesh over Managed switches (VLAN issue)
Replies
13
Views
600
omri
O
kstamand
GT-AX6000 WAN Port as Trunk to upstream firewall??
Replies
0
Views
119
kstamand
kstamand
P
Question about guest network 1 and VLAN 501
Replies
2
Views
174
rung
R
M
Connecting to device in Guest or IOT VLAN from intranet (using Guest Pro on 3.0.0.6 firmware)?
Replies
7
Views
750
tiddlywink
T
S
Script to enable VLAN on RT-AX86U Pro and current Merlin firmware
Replies
5
Views
526
AlexP11223
A

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 735 (members: 21, guests: 714)
Top