Greetings,
I'm hoping someone can help me with setting up a secure VLAN on my ZyXEL ZyWALL USG 20 as I'm having some difficulty figuring out what I am missing (and the documentation is unfortunately not very helpful in this instance).
I am on Firmware Version 3.00(BDQ.2) / 1.14 / 2012-05-03 20:29:02.
My goal is to have two networks that are completely separate from each other (ie, can not see or talk to one another). One network contains sensitive data, and the other is to be a wifi network (so access to the internet, but no access to the other network).
Here is my setup...
Here are the VLAN settings I have tried...
On Configuration->Network->Interface->VLAN (tab):
I created a new VLAN interface (named vlan1).
Interface Type: general (there is also internal and external but I can't find any documentation as to what these do. The help bubble indicates that when internal or external is used "the device will add corresponding default route and SNAT settings." That seems relevant, but I'm not grasping what to do with it.
Zone: I have tried setting this to LAN2 or to VLAN1 (more on this below). I suspect that my issues relate to Zones somehow.
Base Port: LAN2.
IP Address Assignment: Get Automatically.
DHCP Setting: None.
On Configuration->Network->Zone:
I created a separate Zone called VLAN1, to which I added the interface vlan1. Originally I think that vlan1 was a member of the LAN2 Zone along with the lan2 interface. With all of these (and including LAN1 Zone) I have tried turning on "Block Intra-zone Traffic" but that still doesn't prevent devices on Network B from seeing and connecting to devices on Network A.
On Configuration->Firewall:
I added a rule that anything from VLAN1 to LAN1 should be denied. I also tried adding in that the Source be from LAN2_SUBNET. Neither seemed to have any effect.
My best guess is that I need some combination of Zone settings and Firewall settings in order to achieve the security for Network A that I desire. But unfortunately I'm not yet grasping how this all works. I set up a VLAN on an RV042 a while back and I think that was pretty straight forward (I think I could set it to be port-based and that was mostly all I had to do).
Any help, suggestions, links to resources, etc. are all greatly appreciated!
Thanks!
I'm hoping someone can help me with setting up a secure VLAN on my ZyXEL ZyWALL USG 20 as I'm having some difficulty figuring out what I am missing (and the documentation is unfortunately not very helpful in this instance).
I am on Firmware Version 3.00(BDQ.2) / 1.14 / 2012-05-03 20:29:02.
My goal is to have two networks that are completely separate from each other (ie, can not see or talk to one another). One network contains sensitive data, and the other is to be a wifi network (so access to the internet, but no access to the other network).
Here is my setup...
- Network A is on LAN1, and port2. On Configuration->Network->Interface->Ethernet (tab) LAN1 has an IP of 192.168.0.1. Network A has been running fine for a few years and the devices can all interact with each other appropriately.
- Network B is on LAN2, and port5. On Configuration->Network->Interface->Ethernet (tab) LAN2 has an IP of 192.168.2.1. Network B has a single Wifi device (a wifi router, setup to act solely as an Access Point, using this helpful tutorial) connected to it. The Access Point is working correctly and I can connect to the Internet, but unfortunately I can also see and connect to the computers on Network A, which is not what I want.
Here are the VLAN settings I have tried...
On Configuration->Network->Interface->VLAN (tab):
I created a new VLAN interface (named vlan1).
Interface Type: general (there is also internal and external but I can't find any documentation as to what these do. The help bubble indicates that when internal or external is used "the device will add corresponding default route and SNAT settings." That seems relevant, but I'm not grasping what to do with it.
Zone: I have tried setting this to LAN2 or to VLAN1 (more on this below). I suspect that my issues relate to Zones somehow.
Base Port: LAN2.
IP Address Assignment: Get Automatically.
DHCP Setting: None.
On Configuration->Network->Zone:
I created a separate Zone called VLAN1, to which I added the interface vlan1. Originally I think that vlan1 was a member of the LAN2 Zone along with the lan2 interface. With all of these (and including LAN1 Zone) I have tried turning on "Block Intra-zone Traffic" but that still doesn't prevent devices on Network B from seeing and connecting to devices on Network A.
On Configuration->Firewall:
I added a rule that anything from VLAN1 to LAN1 should be denied. I also tried adding in that the Source be from LAN2_SUBNET. Neither seemed to have any effect.
My best guess is that I need some combination of Zone settings and Firewall settings in order to achieve the security for Network A that I desire. But unfortunately I'm not yet grasping how this all works. I set up a VLAN on an RV042 a while back and I think that was pretty straight forward (I think I could set it to be port-based and that was mostly all I had to do).
Any help, suggestions, links to resources, etc. are all greatly appreciated!
Thanks!
