Spiceworks
Planned VLANsVLAN10 - PVID 10 - Scope 10.1.10.0 /24 - Network equipmentVLAN20 - PVID 20 - Scope 10.1.20.0 /24?- Internal usersVLAN30 - PVID 30 - Scope 10.1.30.0 /24?- Internal serversVLAN40 - PVID 40 -?Scope 10.1.40.0 /24?- Guest WLANVLAN50 - PVID 50 - Scope?10.1.50.0 /24?- DMZVLAN60 - PVID 60 - Scope 10.1.60.0 /24 -?VOIP??Network equipment include switches, APs, firewall, and devices used to manage these. Where possible I would like to limit access to management except from this VLAN.Internal users are my family, myself, and regular guests, both wireless and wired. Should have few restrictions.Internal servers should host things that should only be available internally. Probably AD and DHCP for starters.?Guest WLAN. Self explanatory. Should not be able to access anything except WAN.DMZ will host things that should be reachable from the outside. ProbablyNAS and DNS for starters.VOIP won't be needed for a long time, as we still have an analog phone line. USG40 configurationNetwork -> ?Interface -> Port RoleThe names of the Ethernet interfaces have been changed from?lan1?to, for example,?EthInt_lan1. You will see this pattern repeated, as I feel it's easier to get an overview when I can easily see where what was configured.EthInt_lan1 (LAN1) -> Port2, Port3EthInt_lan2 (LAN2) -> noneEthInt_dmz (DMZ) -> Port4EthInt_opt (OPT)? -> Port5?Network -> Interface -> Ethernet?EthInt_wan1 - IP 10.1.10.2 - Gateway 10.1.10.254 - DNS 8.8.8.8 / 8.8.4.4EthInt_lan1 - IP 10.1.10.3EthInt_lan2 - IP 10.1.10.4?EthInt_dmz - IP 10.1.10.5?EthInt_opt - IP 10.1.10.6?Network -> Interface -> VLAN?Each interface has its own IP and is connected to both a port and zone. All interface types are set to???general??, gateways are left blank, and DHCP deactivated.VLAN10 - VID 10 - Port EthInt_lan1 - IP 10.1.10.1 - ZONE_VLAN10VLAN20 -?VID 20 - Port EthInt_lan1 -? IP?10.1.20.1 - ZONE_VLAN20?VLAN30 - VID 30?- Port EthInt_lan1 - IP 10.1.30.1 - ZONE_VLAN30?VLAN40 - VID 40 - Port?EthInt_lan1 - IP 10.1.40.1 - ZONE_VLAN40?VLAN50 - VID 50 - Port EthInt_dmz - IP 10.1.50.1 - ZONE_VLAN50?VLAN60 - VID 60 - Port EthInt_lan1 - IP 10.1.60.1 - ZONE_VLAN60??Object -> Zone?Each?VLAN?has been set into a?ZONE. See header ?Network -> Interface -> VLAN?????Object -> Address?Addresses are used in?Security Policy ->?Policy ControlOne address is made per VLAN. The addresses use the relevant VLAN subnet.Security Policy - Policy ControlAt the moment I have put in place a policy that allows any traffic to any destination. Still none of my devices connected to the switch (or directly to the USG40)? gets a connection. I'm assuming that both traffic from and to WAN must be allowed for internet access. If only traffic to WAN was allowed, replies from WAN would be dropped? Will all traffic be blocked if all traffic to VLAN 10 (Network equipment) is blocked? left1143000 ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.