New Trusted network can ping existing, but not the other way around

tantonytantony
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

I have a case open with WatchGuard support (Case - 01730594).

My existing network have on interface 1 Trusted 10.0.0.5 /24
I created a new network on interface 5 Trusted 10.0.5.1/24

I'm connecting a cable from interface 5 to laptop, and I'm getting the correct dhcp scope, and I had to add a firewall rule to allow interface 5, 10.0.5.1 to be able to access everything else (DNS serves, AD etc) on interface 1 on the existing network. I'm able to ping anything on interface from this network.

But from the existing interface 1 network, I'm not able to ping the laptop on interface 5. I can only ping interface 5 gateway, 10.0.5.1

Then I connect a cable from interface 5 to a Netgear managed switch port 1.
Port 1 is untagged with 1,5. The management IP of the switch is set static 10.0.0.9 with 10.0.0.5 as the gateway. Same as interface 1, but I'm not able to ping the switch either.

As far as I can tell, I have interface 5 on the firewall carrying 1,5 untagged traffic, and interface 1 on the switch to receive 1,5 untagged traffic.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @tantony
    You'll need to make a rule on the firewall to allow traffic between the two interfaces. You can do this by using the alias for each network, or just using any-trusted to any-trusted.

    You can choose to make an any packet filter for any port, or make rules for the specific ports you want to use on that network.

    -James Carson
    WatchGuard Customer Support

  • tantonytantony

    Yes thank you, its just weird to me that Firebox blocks everything by default.

    Another question, can you have an allow and deny rule in the same firewall rule?

    For example, I have a rule to allow access from my new network to the rest.
    But I want to block internet access on the new network, can I add a 'Denied' rule to any external (internet) on this same rule?

  • tantonytantony

    Also, My new network is Type Trusted, but its name is CMM
    The existing network is also Type Trusted, and is name is the default 'Trusted'

    So that's obviously in the Trusted alias, but how do I add CMM to Trusted alias?

  • Bruce_BriggsBruce_Briggs

    Q. can I add a 'Denied' rule to any external (internet) on this same rule?
    A. no - add a new policy denying To: Any-external with the appropriate From: setting. Move this policy above any other policy which might allow the From: setting access to Any-external

    Q. how do I add CMM to Trusted alias?
    A. you can't - Trusted and all predefined aliases are non-modifiable alias. Use Any-trusted

    Review this:
    About Aliases
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/aliases_about_c.html

  • tantonytantony

    ok thank you, its working

Sign In to comment.