I have a NetVanta 3450. I'm no expert with this but I'm pretty good at configuring things through the web interface. I don't have a console cable, and no idea how to configure it by the command line interface. I'm running into a problem I can't figure out.
In IP interfaces, eth 0/1 is my private internal network, eth 0/2 is my public network with my static internet IP's on it.
On eth 0/1, I have a primary IP address of 10.0.0.16/255.255.0.0 and a secondary address of 192.168.168.1/255.255.255.0.
Most workstations on my network are on the 10.0.x.x subnet. I want to be able to put one specific workstation on the 192.168.168.x network, and have internet access through the router, but prevent that workstation from being able to see workstations on the 10.0.x.x network. Everything is working fine, except the router routes traffic between the two subnets automatically.
The firewall is configured. There are two security zones, named "Public" and "Private". There are numerous policies set up for NAT and so forth to router traffic from the outside in to several web sites, mail servers, etc; as well as to allow needed outgoing traffic.
Can someone tell me how, using the web interface, to configure a policy or setting or something that will prevent routing between the two subnets on eth 0/1 ? It would be greatly appreciated.
Essentially you will need to add a filter to the Private security zone that is assigned tovthe Eth 0/1 interface. On that configuration page, you would specify the workstation that is in the 192.168.168.x network and specify a /32 subnet (255.255.255.255). The destination network would be the 10.0.x.x network with a /16 subnet (255.255.0.0). I would recommend setting a static IP on the workstation if they are going to be a couple. However, if you would like to block all traffic from 192.168.168.x from reaching the 10.0.x.x network, you can specify the 192.168.168.x network in the source field on the filter configuration page.
You will also want to make sure it is placed high enough in your Security Zone so that a rule above it does not allow the traffic through.
Please do not hesitate to let us know if you have any further questions. If you are still having issues, please provide a copy of your configuration for us to review. Please remember to remove any sensitive information.
If you used the firewall wizard, I have found that it will NAT all traffic to any interface with your WAN IP. I'm not sure why this is default for the wizard, it's a strange practice. Check to see if your NAT statement is set for "Any Security Zone" rather than "Public". If you change just to public, it will only NAT when the "Private" zone needs to route out the WAN. By default, I believe the router will then block your traffic between private subnets. Check your NAT sessions to see if this is happening, I've seen it happen myself.
Note: You would have to add allow rules to then allow traffic between the private subnets if you so chose.
I tried both suggestions, and neither works. Just in case there are other policies on the firewall allowing this to happen, I set up and configured a different router, a NetVanta 1335. Default configuration, went through the basic firewall wizard to set it up, so there are no other rules or policies in effect.
I then added a filter policy to the Private security Zone, source 192.168.168.0/255.255.255.0 destination 10.0.0.0/255.255.0.0. Still routes between subnets.
I then made the change that dre suggested, changing the "NAT list wizard-ics" from "Any Security Zone" to "Public", and it's still routing between subnets.
This whole thing seems to violate the concept that "Traffic not matching one of the policies will be blocked". I'm wondering if, although it is still routing, if traffic with the source and destination on the same IP interface is not handled by the firewall. Is that possible? It's starting to look like that's the case.
On the 1335, it obviously has 24 ports to work with. So I think I could accomplish what I want by putting 192.168.168.x on it's own VLAN. But that wouldn't solve how to accomplish this on the 3450, which has just two physical ports to work with, one for the public, and one for the private.
So still looking for more suggestions.
This goes beyond the GUI.
Enable 802.1Q, create 2 logical interfaces on the single physical port, they will have their own vlan IDs. Configure your switch with the same 2 vlans with one subnet on each vlan and a trunk port connected to the router. Uou now have 2 interfaces that you can assign policies to. It also assumes you have a manageable switch.