 MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12
1 edit | USG300 VLAN RoutingHello Folks,
I am planning a way to build a true DMZ around our core USG300. I know I can just throw a pfSense box in between our internal LAN VLAN and the DMZ VLAN and let it firewall/route, but I'm wondering if that is unnecessarily complicating things?
Here is (will be) my setup:
Public Address Space
|
|
Zywall USG 300
(Port 5) (Port 1)
| |
| |
DMZ LAN
| |
| |
10.0.10.x 192.168.2.x
I'd like to allow certain ports (mainly SSH) to flow from the LAN subnet to the DMZ subnet, but nothing unsolicited the other way. Can the USG300 provide this functionality? If so, would policy routing be the feature I am looking for? |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Yes yes and yes. The USG provides all the dmz functionality you need, not sure what else you want. No need to add pfsense box. ¨Policy routing and firewall rules cover most of what you need. THe router also assigns vlantags to packets and can route them.
Can you be more specific in terms of the vlans you want to setup. Are you using a managed switch behind the router. What is it that you are segmenting.
Yes via firewall rules you can allow one way LAN to DMZ traffic and prevent the reverse.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | Thanks Alex. If I run into any troubles the user manual can't help me solve, I'll post back here. I just wanted confirmation I was heading down the right path before I dove in. |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | No worries, you can assign the physical port to the zone (lan or dmz) as well as have each zone provide its own DHCP service as per your diagram. |
|
