Accessing VLAN not on the switch

I have 2 VLANs (1,4) on the WatchGuard, and I have a firewall rule to block VLAN 4 from accessing VLAN 1, and vice versa.

But I do have explicit firewall rule to allow only my computer and someone else's on VLAN 1 to access VLAN 4 using FQDN, and this works.

The switch I'm connected to in my office is a smart switch, and its only a member of VLAN 1, so how am I able to access devices on VLAN 4 since my switch in the office is not a member of VLAN 4?

This is my setup.

  • My office switch, all ports VLAN 1
  • Uplink switch to my office, members of VLAN 1,4
  • Uplink switch connected to WatchGuard

So does my computer just use its default gateway (on VLAN 1) to get to the devices on VLAN 4? Even if the switch in my office have all ports on VLAN 1?


  • Yes.
    Standard routing - to access anything not on your local subnet - traffic goes to your default gateway to be forwarded to the destination IP addr.

    You can verify this by turning on Logging on your explicit firewall rule - do a test access to VLAN 4 and look at Traffic Monitor to see the allow log entry for this.

  • Thanks, just want to make sure I was thinking it correctly. That's what I did.

Sign In to comment.