I’m seeing some strange behavior on a Netgear SRX5308. I have Port 3 set as the “Default” LAN port (carrying multiple VLANs) and Port 4 configured as a dedicated DMZ port.
The Problem: When I deactivate the DMZ-WAN “Allow Always” rule, my VLANs on Port 3 lose internet access. This is confusing because the Port 3 traffic should be governed by the LAN-WAN rules, not the DMZ rules.
Firewall:
LAN-WAN: Default Outbound Policy: Allow Always.
DMZ-WAN: manually added allow always to any. The confusing thing is deactivating the last rule causes internet access to the VLANs on Port3 which should not be affected by the LAN-WAN rule. even setting it manually doesn’t change it.
Even though the “Default Outbound Policy” is set to Allow Always, the VLANs only seem to get out when the DMZ-WAN rule is active.
Any idea why that happens?
SRX5308> show net lan ipv4 setup
LAN Setup (IPv4)
________________
VLAN Profiles
_____________
Status Profile Name VLAN Id IPv4 Address Subnet Mask DHCP Status Server Address
_______ _____________ _______ _______________ _______________ ___________ ____________________________
Enabled Default 1 172.16.1.1 255.255.255.0 Disabled Not Applicable
Enabled P2P-ER-CFW-L1 801 10.255.0.1 255.255.255.252 DHCP Server 10.255.0.2 - 10.255.0.2
Enabled P2P-ER-CFW-L2 802 10.255.0.5 255.255.255.252 DHCP Server 10.255.0.6 - 10.255.0.6
Enabled homelan 201 192.168.201.253 255.255.255.0 Disabled Not Applicable
Enabled management 10 172.16.10.1 255.255.255.0 DHCP Server 172.16.10.2 - 172.16.10.50
Enabled telcom 18 172.16.18.1 255.255.255.240 DHCP Server 172.16.18.2 - 172.16.18.14
Enabled security-1 15 192.168.15.1 255.255.255.224 DHCP Server 192.168.15.2 - 192.168.15.30
Default VLAN
____________
Port1: P2P-ER-CFW-L1
Port2: P2P-ER-CFW-L2
Port3: Default
Port4: DMZ
SRX5308> show security firewall ipv4 setup dmz_wan
Default Outbound Policy for IPv4 : Allow Always
DMZ WAN Outbound Rules.
_______________________
ROWID: 15
Status: Enabled
Service Name: ANY
Filter: ALLOW Always
DMZ User: Any
WAN User: Any
QoS Profile: None
Log: Never
DMZ WAN Inbound Rules.
______________________
ROWID Status Service Name Filter DMZ Server IP Address / NAT IP DMZ User WAN User Destination QoS Profile Log
_____ ________ ________________ ____________ ______________________________ ________ ________ ___________ ___________ _____
18 Disabled IPSEC-UDP-ENCAP ALLOW Always 10.0.100.3Any WAN3 None Never
19 Enabled SSH:TCP_ALT-1 ALLOW Always 10.0.100.3Any WAN3 None Never
20 Enabled SSH:TCP_ALT-2 ALLOW Always 10.0.100.4Any WAN3 None Never
21 Disabled IPSec-IKE ALLOW Always 10.0.100.3Any WAN3 None Never
22 Disabled IPSec-NATT ALLOW Always 10.0.100.3Any WAN3 None Never
23 Enabled OpenVPN_1 ALLOW Always 10.0.100.3Any WAN3 None Never
24 Disabled OpenVPN_2 ALLOW Always 10.0.100.4Any WAN3 None Never
SRX5308> show security firewall ipv4 setup lan_dmz
Default Outbound Policy for IPv4 : Allow Always
LAN DMZ Outbound Rules.
_______________________
LAN DMZ Inbound Rules.
______________________
SRX5308> show security firewall ipv4 setup lan_wan
Default Outbound Policy for IPv4 : Allow Always
LAN WAN Outbound Rules.
_______________________
ROWID: 30
Status: Enabled
Service Name: ANY
Filter: ALLOW Always
LAN User: Any
WAN User: Any
QoS Profile: None
Bandwidth Profile: NONE
Log: Never
LAN WAN Inbound Rules.
______________________
I tested it with a specific range (192.168.0.0 – 192.168.255.255) but makes no difference.
SRX5308> show security firewall ipv4 setup lan_wan
Default Outbound Policy for IPv4 : Allow Always
LAN WAN Outbound Rules.
_______________________
ROWID: 30
Status: Enabled
Service Name: ANY
Filter: ALLOW Always
LAN User: 192.168.0.0 - 192.168.255.255
WAN User: Any
QoS Profile: None
Bandwidth Profile: NONE
Log: Never
LAN WAN Inbound Rules.
______________________
