VLAN Firewall Rule Issue

Hi Hammer,

Please post a picture of the configuration and the firewall rule. For communicating VLAN with LAN, configure a FW-rule:

Source: LAN // Networks: 192.168.0.0/24, 
Destination: LAN // Networks: 192.16.100.0/24, 
What: Any Service
Action: Accept

Vice versa.

Hope that helps.

Also I don't want communication between the 2 networks. There is only one IP I need VLAN access to not the whole of the subnet, the firewall rule is required for more or less to control access   

Alam,

1. Remove the source host port1 from the rule

2. Create a firewall rule from vlan to LAN and add destination host the LAN ip you need to access.

Thanks

Hi Luk

I don't think I understand what you said :( sorry. 

1. I have configured a firewall Rule for VLAN, the VLAN clients are not hitting the rule instead bypassing through default rule. Rule for VLAN is configured as below :

Remove the Source Network/Devices = #Port1.10

2. Create a firewall rule from vlan to LAN and add destination network/devices  the LAN ip you need to access to.

If you do not understand, please upload a network diagram.

Regards,

Thanks for the reply. I dont have a diagram but ask me what you need to know I will try my best to answer. In response to what you said

1. I have configured a firewall Rule for VLAN, the VLAN clients are not hitting the rule instead bypassing through default rule. Rule for VLAN is configured as below :

Remove the Source Network/Devices = #Port1.10

By doing so the LAN traffic hits that Rule , All i want is just the VLAN traffic to hit the rule so I can apply different web policy to it

LAN = 192.168.0.1 

VLAN = 192.16.100.1 

I don't want any communication between the 2 networks,apart from one IP on internal LAN which is 192.168.0.55

Thanks for the reply. I dont have a diagram but ask me what you need to know I will try my best to answer. In response to what you said

1. I have configured a firewall Rule for VLAN, the VLAN clients are not hitting the rule instead bypassing through default rule. Rule for VLAN is configured as below :

Remove the Source Network/Devices = #Port1.10

By doing so the LAN traffic hits that Rule , All i want is just the VLAN traffic to hit the rule so I can apply different web policy to it

LAN = 192.168.0.1 

VLAN = 192.16.100.1 

I don't want any communication between the 2 networks,apart from one IP on internal LAN which is 192.168.0.55

I believe my issue is the same as here  https://community.sophos.com/products/xg-firewall/f/network-and-routing/73278/vlan-traffic-issues#pi394filter=all&pi394scroll=false. I have tried to follow the instructions but no joy ....

Here is what I have done now 

Created proper Host IP objects (in Objects > Hosts and Services) for 192.16.100.0 and then one rule:

Source: LAN // Networks: 192.16.100.0/24
Destination: LAN // Networks: 192.16.100.0/24
What: Any Service
Action: Accept

I am definitely doing something wrong don't know what  

Hammer,

if you need to allow VLAN clients to connect to LAN network, you have to create a LAN to LAN zone Firewall rule from source network (VLAN network 192.68.x.y) to destination network (LAN network 192.168.x.y).

Your firewall rule is wrong!

Thanks for the reply, you were right I did what you suggested before and it seems to be working I will mark that as answer.

1. Remove the source host port1 from the rule

2. Create a firewall rule from vlan to LAN and add destination host the LAN ip you need to access.

I am now trying to configure web policies for the VLAN traffic, trying to follow this 

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/79376/alll-traffic-passing-from-the-default-policy-and-not-from-the-policies-i-created