General question about routing between VLANs


We are running a T40 as a firewall between internal (trusted) network and the internet.

So far we had a single VLAN 10 configured which was output to interface #1 untagged. It's in zone "Trusted".

Now I added a second VLAN 40, which uses a different IP range ad is also in "Trusted" zone. It's output on interface #3.

To my surprise, pinging a device in VLAN 10 from VLAN 40 is possible. I suspect the Firewall rules to allow that, because the rule "ping" is allowing traffic from "Any-Trusted" and "Any-Optional" to "Any".

What's the basic approach when configuring the rules for new VLANs so that those VLANs can't see each other?

Best regards,


  • Options
    You could make new ones Custom zones. You need specific policies between Custom zones and any other zone type, including another Custom zone VLAN or interface.
  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If you change the ping rule from

    TO ANY


    TO Any External

    The pings will not be able to traverse to other trusted networks.

    As Bruce mentioned, you can also use the custom interface type, but you will need to ensure those interfaces have rules that mention that interface by name, as the normal any-trusted rules will not handle traffic for that type of interface.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited October 2023

    James, Bruce,

    thank you for the helping hand!

    I understand that using "ANY EXTERNAL" in the ping rule still allows to ping between devices belonging to same VLAN and subnet, because they don't get routed through the T40. Is that correct?

    The only other rule which allows traffic to "Any" is our SSL VPN rule (last in list):
    It allows any VPN user to route traffic into any network. It means that VPN traffic can be routed into any VLAN? I'd like to prevent that, because VPN user should only get into the default (production) VLAN. But if i change the "To" clause to something different, is outgoing traffic (from our network to the VPN user) still routed?

    Best regards,

  • Options
    Any-external refers to traffic to External interfaces only.

    Packets on the same subnet do no go to the firewall - they get transmitted directly via Ethernet.
  • Options
    An Any policy allows all packet types.
    The From: and To: fields on a policy identify what source is allowed to go to what destination.
    To : Any means all interfaces etc. unless it is a Custom type.

    One would need a policy for each direction.
    Note that reply packets are allowed by default.
  • Options

    Sorry for revive this thread, but I'm still not sure how to understand the VPN rule:

    The rule "Allow SSLVPN-Users" only applies to content for users which have authenticated successfully by VPN, right? So it does not affect the authentification / log-in process because this is covered by rule "WatchGuard SSLVPN", according to this article:

    "One would need a policy for each direction."
    This refers to the fact that one policy is required for packets outgoing to "Any-External", another policy is required for internal traffic (e.g. "Any-Trusted"), did I understand correctly?
    If I want to name specific VLANs to which the traffic gets routed inbound (instead of "Any-Trusted"), is there a way to specify that?

    Best regards,

  • Options

    My answer is in response to this, from you:

    "But if i change the "To" clause to something different, is outgoing traffic (from our network to the VPN user) still routed?"

    One needs an outgoing policy for SSLVPN-Users to allow "outgoing traffic (from our network to the VPN user)"

Sign In to comment.