Compartmentalize vlans...

Hi,

you would have to create reject rules between VLANs for each combination.

VLAN 1 on an XG, try to avoid using that until v17b has been tested.

Ian

Can you give me an example of a rule? I'm still trying to figure out the method of thinking when it comes to designing these rules. Coming from pfsense ha.

I've created a rule that prevents any of the vlans from talking to the entire LAN section. However LAN can talk to them. They are still able to get out to the web. It was end of the day so I didn't get to test if they could communicate between each other.

Hi,

you will  need one for each direction. I just created and tested this rule to make sure I had the structure correct.

Ian

Ian,

inside the source/destination network Port should not be used (because they do not work). IP, Subnet, ip-list should be used.

Regards

Hi Luk,

The rule I posted actually works, I tried it our before posting. Somewhere something has been fixed in 5.7 mr7 maybe?

Ian

Ian,

since first version, firewall rules do not accept port on source network.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80582/lan-to-wan-rule---restrict-by-port-and-ip-address

I remember even a Sophos KB where they say do not use ports inside source network (quite new KB than what discovered from community) but I cannot find it.

Hi Greg ,

First, the VLAN routing must be done by XG otherwise you may need to manage that on the switch using access rules. 

If Inter-VLAN routing is configured then you may use LAN to LAN rules and mention the specific rules e.g. Src_Zone:LAN ,Src_network:VLAN50, Dest_Zone:LAN,Dest_network VLAN 60 Action Accept

You do not need to create a LAN to LAN rule with host mentioned as ANY. If you have created such rules then you may need to create a Reject rule specified earlier and position on the top of that rule. 

By default, if the specified rules and mentioned the network/host not listed will be dropped by default.

Hi Luk,

when I initially tested the rule it blocked access, now no effect. Deleted it.

Ian