multiple VLANs on one security zone - possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

multiple VLANs on one security zone - possible?

L4 Transporter

Hi

I need your help with one (probably simple for You problem).

I have PA200 but I have only one "free" security zone and one phisical interfece free.

I need to create 4 local networks (as a subinterfaces/VLAN) that every one has their own adresses, dhcp server, NAT policy to their own IP.

Intervlan traffic shouldn't be allowed.

Is it possible? Until now I do always one security zone per one network ...

With regards

Slawek

19 REPLIES 19

L5 Sessionator

You can create L3 sub-interfaces and assign them IP subnets ,Zones and create NAT and Security rules.

For reference  Page 99 :

I was stuck with one thing, one of this local networks must have Captive Portal on it.

I can connect proper profile to interface for CP but the CP policy I need to bind to whole Security Zone. I can do exclussions - but is it a  good idea?



I doubt, and I would like to ask you whether it is good that I am doing


Regards

Slawek

Hi,

No profile for CP but Captiv Portal Policy 🙂 then no issue

v.

L5 Sessionator

You can create a specific Captive Portal rule based on Source IP subnets .

No-CP rules can be created for IPs that do not need CP ,for granularity if certain IPs need exclusion from CP in an address space.

Additionally ,User-Identification Include (/Exclude) ACLs could be created ,if Zone has multiple interfaces/Subnets ,to filter the IP spaces that need (/dont need) User Id via CP.

HTH

L4 Transporter

Hello

I stuck with configurations .... help me please. My config look like:

2013-07-23_132802.png

2013-07-23_132725.png

2013-07-23_132047.png

2013-07-23_133613.png

2013-07-23_134702.png

Computer connected to VLAN 210 is able to get IP address from DHCP server (got 192.168.210.2) but is unable to ping gateway in this network (192.168.210.1). Of course it can't ping 8.8.8.8 too

Why?

It's doesnt matter that "any" or "unknown" is chooses in security policy "Other_LAN - internet"  - computer cant reach internet or gateway.

User identyfiaction is enabled on "Other_LAN" because I have to do Captive Portal on 192.168.3.0 network (and only on this network)

Computer connected to VLAN 210,230,240 getting IP from DHCP (can't ping gateway), but connected to vlan 250 doesn't even getting IP from DHCP server.

Slawek

Computer connected to VLAN 210 is able to get IP address from DHCP server (got 192.168.210.2) but is unable to ping gateway in this network (192.168.210.1).


Could be getting blocked by the rule deny-rest.Configure a rule above deny-rest  rule between zones Other_LAN to Other_LAN  to allow this traffic.


Of course it can't ping 8.8.8.8 too

Can you check the Source NAT rule,Shouldn't the Innie siece zone be replaced by OTHER_LAN zone ?

L4 Transporter

Computer connected to VLAN 210,230,240 getting IP from DHCP (can't ping gateway), but connected to vlan 250 doesn't even getting IP from DHCP server.

A: You don't have it enabled. It shows as disabled.


As Nadir said, your NAT rules need to be from the correct source zone.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

Yes - the traffic was blocked by deny-rest rule.

I added policy from Other_LAN to Other_LAN and now I can ping gateway of network where is locted computer. BUT also I can ping other VLAN gateways!! - that's not good.

Is it a solution for "clever" blocking traffic from ie. vlan250 to every other. At the moment I have 4 networks on Other_LAN interface so I had to 4^2 rules of blocking traffic - is it a solution to do it a bit smarter?

Every of this subinterfaces/networks must be separated, and allow only traffic to the internet (exept for DHCP/DNS/CP).

Sorry for my english ... I hope that you are understand what I want to achieve.

Craymond - you are right, it was disbaled - it's my fault - thx

Regards

Slawek

I have another problems with computer in 192.168.3.x network.

I can't see CaptivePortal, my browser isn't redirected (even when I add rule that allow traffic to it's IP (192.168.110.1) - rule "SCH-CP" - but I can ping it by IP address or name.

I changed dns servers from google dns to my local dns serwers for every of my local network - just for unifications.

2013-07-24_094708.png

so the problem is in NAT (I can't  see errors in configuration, picture from yesterday has polish name of Other_LAN - so it's confusing you) - configurations is similar to my others NAT.

2013-07-24_094954.png

when I try ping google.pl I see traffic that passes rule "Other_LAN - DNS" but my computer dosn't resolve name to it's IP.

I can't ping or browse internet on every LAN on Other_LAN security zone.

I don't understand what is going here, I have 7 other LANs on my PAN device (every has their own security zone) and everyting is working as I expected. When I started to configure 4 LANs on one security zone something is going creazy ...

Please explain me why I need to allow traffic from Other_LAN to Other_LAN to bo able to ping gateways when without such security rule I was able to get IP from DHCP server??

Help me please

Regards

Slawek

By default firewall allows ,Intra-Zone traffic.So you can ping all hosts in Other_LAN to hosts in Other_LAN by default if you dont have deny-rest Rule.You can either create separate Zone for each VLAN.

Having deny-rest rule would warrant creation of specific allow rules from Other LAN to any zone.

Suggestions : You can alter the deny rest to specific zones instead of any. eg Other Zone to Untrust.



"so the problem is in NAT (I can't  see errors in configuration, picture from yesterday has polish name of Other_LAN - so it's confusing you) - configurations is similar to my others NAT."


Check if you have a zone named inne sieci configured.I dont think Zone names would be translated.

Change "Inne sieci" in NAT config to Other_LAN

it's done today morning, now it's looks like:

2013-07-24_105524.png

2013-07-24_105546.png

What do you see in the traffic logs for the outbound traffic failing ?

Can you include additional columns in the traffic log eg : NAT Source  IP,Packets sent Packets received etc.

Do you have Default route defined ?

Can  try to include the Interface in the Source NAT rule instead of the translated address.

  • 7781 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!