My default deny firewall rule is blocking my LAN traffic? Firewalls or routers WAN and LAN zone not separated properly

This article should explain a common issue our customers are reporting on a regular basis. The reason for this is not a firewall misconfiguration or a bug, but rather an issue in the network topology.

 

1. Symptoms of the issue

2. The root cause for this symptom

3. How to prove that the topology is the reason for this

4. How to fix this issue

5. Checking the result

 

 

1. Symptoms of the issue

You might notice that LAN clients are not able to access the internet. Under Monitor > Log you might notice that the default deny firewall rule is blocking traffic for these devices.

mceclip2.png

 

2. The root cause for this symptom

We have noticed that in these cases the topology was looking like this. The goal was maybe to save hardware like a switch and using VLANs to separate the switch into "two different separated logical switches".

mceclip3.png

While the above topology is very much simplified, in a real life scenario it might be hard to see this right away. But the basic idea is clear: The WAN and LAN zone are not separated properly!

 

3.  How to prove that the topology is the reason for this

While checking the calbing and VLAN tagging on the switch might be time consuming, the easiest way to check this right away is by checking the ARP table of your firewall. You need to login via SSH and use the command:

 show arp-table

mceclip0.png

In the above example, you see that private IPs which belong to the LAN had been learned on the WAN port. Therefore this is already proof that there is something wrong with your cabling or the VLAN tagging of your switch.

 

4. How to fix this issue

If you wanted to save hardware and maybe use one and the same switch on the LAN and WAN side of your firewall, please make sure the VLAN tagging is correct. It is actually possible to make "two separated switches" out of one hardware switch by using VLANs.

Make sure there is only one PVID and untagged VLAN per port and exclude all other unneeded VLANs from each port! Further info about VLAN tagging on switches here: VLANs on Zyxel Switches

 

 

5. Checking the result

You might have to clear the ARP table at first: Clearing the ARP table of your firewall


Then run the command

 show arp-table

again to check if the LAN MACs and IPs are only learned on the LAN interface instead of the WAN interface.

 

 

Articles in this section

Was this article helpful?
0 out of 2 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.