Zywall USG 110 blocking Port

monneyla · April 2020

hi,

I connected a NAS (IP address 192.168.0.20) on the PORT7 of my Zywall USG 110 ans I would like to block access from anywhere between 2PM and 10PM. I have as rule in my firewall:

FROM: any

TO: LAN1

IPv4 SOURCE: any

IPv4 DESTINATION: 192.168.0.20

SERVICE: any

USER: any

SCHEDULE: from 2PM to 10PM

ACTION: deny

LOG: log

but it does not work. I can access 192.168.0.20 anytime, especially during the blocked frame time (2PM-10PM).

thanks for your help.

PeterUK · April 2020

Port 7 on the Zywall 110 is set for DMZ by default so you need to change your rule for TO: DMZ

monneyla · April 2020

hi,

thanks for your quick answer. but I changed the P7 from DMZ to LAN1 (subnet 192.168.0.xx). so it should work that way right ? or the P7 HAS TO BE in DMZ zone to make the firewall wok properly?

regards.

PeterUK · April 2020

hmm yes if you changed the port to LAN1 it should work

What firmware are you on?

If you have FROM any and TO any does that work?

Are you trying the block from LAN1 or from the internet? as from LAN1 might not be possible because ports P4 and P7 ack as a switch before the ZyWALL but if you put it in its own LAN2 subnet you can firewall it.

monneyla · April 2020

hi,

firmware version: 4.35(AAPH.3)
FROM any and TO any does that work? -> no, nothing is blocked
Are you trying the block from LAN1 or from the internet? -> tried both: nothing is blocked
if you put it in its own LAN2 subnet you can firewall it: OK ,but I won't have any access to my NAS (LAN2: 192.168.1.xx) from my PC (LAN1: 192.168.0.xx). And I need to have this access for the backup. The connection must be blocked within a shedule frame only.
It is anyway incredible that with 2 devices directly connected to the USG110 ports, on the same LAN, you cannot apply a firewall rule, especially since it it possible to create a LANx to LANx rule in the firewall without any warning indicating you that this rule is not functionning..

anyways, thank for your help.

monneyla · April 2020

...I even tried to put this firewall rule at the first position in the firewall:

FROM: LAN1

TO: LAN1

ipv4 SOURCE: ANY

IPv4 DESTINATION: ANY

SERVICE: ANY

USER: ANY

SCHEDULE: NONE

ACTION: DENY

-> nothing is blocked in the LAN1. I can access every devices in the LAN1 from my PC also in LAN1.... :-(

I am desapointed...

PeterUK · April 2020

no doubt you have a switch to the ZyWALL or ports P4 to P7 to LAN1 so traffic on the switch can connect to each other unless you do VLAN's on the Zywall with a VLAN switch.

If you have LAN1 as 192.168.0.0/24 and a port with LAN2 192.168.1.0./24 you can firewall from subnets.

monneyla · April 2020

ok. thanks a lot for your professional answer !?️

regards.

monneyla · April 2020

...well a last question: how do I do to make my PC on LAN1 as 192.168.0.0/24 can access the NAS on another subnet with LAN2 192.168.1.0./24 ? They cannot see each other ?

PeterUK · April 2020

Just another way you can do the block is to get a managed switch.

As to your question its done by the gateway when you have a NAS on 192.168.1.50 and a PC with 192.168.0.20 you just connect to the NAS by 192.168.1.50 which sends it to the LAN1 192.168.0.1 gateway which then sends it out LAN2 to the NAS at 192.168.1.50 the NAS with gateway 192.168.1.1 sends it to the LAN2 192.168.1.1 gateway and then sends it out LAN1 back to the PC on 192.168.0.20.

You just make a rule for FROM LAN1 TO LAN2 allow all with another rule above that being your block for the time.

monneyla · April 2020

ok. thanks a lot Peter. Take care.

Zywall USG 110 blocking Port

All Replies

Categories

Security Highlight

Security Help Center