Firewall a VLAN

Question

Hi, We are currently running with a pair of 201E Firewalls running in NAT mode. These are currently setup with 2 interfaces LAN and WAN, which just basically firewalls traffic from lan to wan (Internet) and vise versa.

We are now looking to firewall a vlan from the rest of the network. So the idea is to push traffic from this vlan through this new interface and then out through the LAN interface back into the network.

So we have setup another interface with an IP in this vlan (VLAN710) which is connected to our core switch. The core contains the gateway address for this vlan. This interface is pingable from the core and any other machine within this vlan but not outside of this vlan. I can see this as a connected route on the FW. I'm guessing its a routing issue on the FW but cant figure out what is needed. We already have static routes in place to push internal subnets through the LAN interface which is what we want. If someone could help or point me in the right direction would be great.

Cheers

lobstercreed · Answer

Do you have policies allowing ping from your LAN interface to your VLAN interface? If not, the problem might be that simple. From your explanation though you might also be having some trouble with asymmetric routing but I might just be misreading what you wrote (you said your core has the gateway address, which is not possible while simultaneously firewalling off the VLAN).

It sounds like what you're describing is essentially a DMZ, so that's a pretty common config. I actually use my FGT as the default gateway for the majority of my user- and IoT-facing VLANs so that I have the ability to restrict east/west traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded