Monday, November 10, 2008

Intra-Zone Traffic

You can combine multiple interfaces/Vlans/VPN tunnels into a zone to make policy creation easier. To create zones go to System -> Network -> Zone -> Create New. For example you can have 10 Vlans combined into a zone called Vlans. The zone will now show up in the policy section when you create policies. You can then create new policies between the "Vlans" zone and the internal interface for example, thus allowing you to use a single policy rather than a policy for each Vlan to the internal interface.

In the zone configuration you can check the "Block intra-zone traffic" check box to prohibit the different interfaces in the same zone to talk to each other.
Let's assume you have ten interfaces in your zone and the Block intra-zone traffic box checked. You now want to allow traffic between a very small number of networks on different interfaces that are part of the zone but you do not want to disable the intra-zone blocking.
For this scenario the Vlans are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24

To enable this create a policy as follows:

Source Interface: Zone-name (e.g. Vlans)
Source Address: 192.168.1.0/24
Destination: Zone-name (same as Source Interface, i.e. Vlans)
Destination Address: 192.168.2.0/24

This policy will allow traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone blocking is enabled. Think of the intra-zone blocking as a default deny rule and you have to specifically override it by creating a policy within the zone.

1 comment: