topic Re: Intervlan in Spark Firewall (SMB)

Intervlan

Gaetano_Nicosia — Tue, 28 Jan 2020 14:28:08 GMT

Hi to all,

On my cp730 firewall I created some vlan, for example 201, 202,203 etc.

I need to configure vlan 202 so that it only sees itself and cannot see the others vLan.

Can you suggest me a way?

Thank You and Best Regards

Gaetano

Re: Intervlan

Maarten_Sjouw — Tue, 28 Jan 2020 14:47:35 GMT

just setup a block rule for the network connected on VLAN 202 to drop/reject all traffic to the other networks configured on VLAN 201 and 203

Re: Intervlan

G_W_Albrecht — Tue, 28 Jan 2020 14:50:55 GMT

How could that be ? VLAN is used to separate Ethernet packets coming from the same IP/IF by tagging. Switches see the VLAN tags, but a VLAN can really see nothing...

Re: Intervlan

Gaetano_Nicosia — Wed, 29 Jan 2020 14:11:18 GMT

Hi to All and thank You for feedback.

I will try to explain the problem better.

I configured LAN3 on the Firewall as network, assigning it IP 192.168.201.254 and enabling the DHCP;
On LAN3 I created two VLANs, the first 202 (192.168.202.254 and DHCP enabled) and the second 203 (192.168.203.254 and DHCP enabled).
A POE switch is connected to this LAN and correctly takes an IP from the firewall; for example 192.168.201.1. Obviously on the switch was Tagged the port that connects to the Firewall.
I connected two Access Points to ports 1 and 2 (tagged) of the switch; the two access points also take an IP from the firewall, for example 192.168.201.2 and 192.168.201.3.
On each Access Point, I configured two SSIDs. I assigned the VLAN 202 to the first (WiFi-Mag) and the VLAN 203 to the second (WiFi-Guest).
I connect successfully from a notebook or a mobile to each Wifi network. The IP assigned to the mobile device are respectively 192.168.202.xxx or 192.168.203.xxx
The same vlan are configured on the switch.

And this is where the problematic part comes.

It's all right for the lan 202, but I need that the WiFi-guest 203 have only access to Internet and no browsing on the corporate network formed by 202 and other VLAN's configured on ports 1 and 2 of the firewall.

I hope I have been clearer and that someone can give me some indications.

Thank You and Best Regards

Gaetano

Re: Intervlan

G_W_Albrecht — Wed, 29 Jan 2020 14:27:49 GMT

I do not understand the question - if 192.168.203.xxx is not allowed to connect to the internal networks, why not make a rule to drop that traffic ? This is a firewall, after all 8)...

Re: Intervlan

Gaetano_Nicosia — Wed, 29 Jan 2020 15:19:08 GMT

Hi Albrecht,

This is exactly the point.

I am unfamiliar with this firewall (I approach for a short time to Check Point) and I ask for help to understand where and how to create this rule.

Otherwise where I can find a tutorial that will help me.

Gaetano

Re: Intervlan

Maarten_Sjouw — Wed, 29 Jan 2020 18:07:17 GMT

Have a look at the howto video's
https://community.checkpoint.com/t5/How-To-Videos/bd-p/howto
Just make one thing very clear, a firewall will only allow traffic that you tell it to allow.

Re: Intervlan

Gaetano_Nicosia — Thu, 30 Jan 2020 06:57:25 GMT

Thanks for the feedback, I will see the videos that will surely help me.

As this is a community, I provide the solution sent to me by Check Points technical assistance.

Could help other friends.

From Policy rule, "Incoming, internal and VPN" section create a rule with

Source: the vLAN that has only access to Internet
Destination: LAN network
Action: Block

That's all, very very simple.😀

Re: Intervlan

G_W_Albrecht — Thu, 30 Jan 2020 08:44:18 GMT

Why not just read the documentation that explains this and much, much more ? CP_R77.20.80_1100_1200R_1400_Appliance_LocalAdminGuide