General question about routing between VLANs

Hello!

We are running a T40 as a firewall between internal (trusted) network and the internet.

So far we had a single VLAN 10 configured which was output to interface #1 untagged. It's in zone "Trusted".

Now I added a second VLAN 40, which uses a different IP range ad is also in "Trusted" zone. It's output on interface #3.

To my surprise, pinging a device in VLAN 10 from VLAN 40 is possible. I suspect the Firewall rules to allow that, because the rule "ping" is allowing traffic from "Any-Trusted" and "Any-Optional" to "Any".

What's the basic approach when configuring the rules for new VLANs so that those VLANs can't see each other?

Best regards,
Hamph

Comments

  • You could make new ones Custom zones. You need specific policies between Custom zones and any other zone type, including another Custom zone VLAN or interface.
  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you change the ping rule from

    FROM ANY TRUSTED, ANY OPTIONAL
    TO ANY

    to

    FROM ANY TRUSTED, ANY OPTIONAL
    TO Any External

    The pings will not be able to traverse to other trusted networks.

    As Bruce mentioned, you can also use the custom interface type, but you will need to ensure those interfaces have rules that mention that interface by name, as the normal any-trusted rules will not handle traffic for that type of interface.

    -James Carson
    WatchGuard Customer Support

  • edited October 13

    James, Bruce,

    thank you for the helping hand!

    I understand that using "ANY EXTERNAL" in the ping rule still allows to ping between devices belonging to same VLAN and subnet, because they don't get routed through the T40. Is that correct?

    The only other rule which allows traffic to "Any" is our SSL VPN rule (last in list):
    It allows any VPN user to route traffic into any network. It means that VPN traffic can be routed into any VLAN? I'd like to prevent that, because VPN user should only get into the default (production) VLAN. But if i change the "To" clause to something different, is outgoing traffic (from our network to the VPN user) still routed?

    Best regards,
    Hamph

  • Any-external refers to traffic to External interfaces only.

    Packets on the same subnet do no go to the firewall - they get transmitted directly via Ethernet.
  • An Any policy allows all packet types.
    The From: and To: fields on a policy identify what source is allowed to go to what destination.
    To : Any means all interfaces etc. unless it is a Custom type.

    One would need a policy for each direction.
    Note that reply packets are allowed by default.
Sign In to comment.