EdgeRouter - Zone-Based Firewall


Overview


Readers will learn how to configure a Zone-Based Firewall (ZBF) on an EdgeRouter.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Configuring the Zone-Based Firewall


 

Back to Top

topology.png

The Zone-Based Firewall will be used to limit the traffic between the 10.0.10.0/24 and 10.0.20.0/24 networks.


A Zone-Based Firewall assigns each interface to a specific zone. The firewall zones will be used to define what traffic is allowed to flow between the interfaces. The traffic that originates in the EdgeRouter itself will also be assigned to a zone: the local zone.

The following zones are used in this example:

  • WAN Assigned to the eth0 interface.
  • LAN Assigned to VLAN10 on the eth1 interface (eth1.10).
  • GUEST Assigned to VLAN20 on the eth1 interface (eth1.20).
  • LOCAL Traffic sent from the EdgeRouter itself.

The following traffic is allowed between the zones:

  • WAN to other zones Only Established/Related traffic is allowed.
  • LAN to other zones All traffic is allowed.
  • LOCAL to other zones All traffic is allowed.
  • GUEST to WAN zone All traffic is allowed.
  • GUEST to LAN zone Only HTTP and HTTPS requests to the Webserver at 10.0.10.10 and Established/Related traffic is allowed.
  • GUEST to LOCAL zone All traffic is dropped.
NOTE: There is more information about EdgeRouter firewall states in the How to Create a WAN Firewall Rule article.

Follow the steps below to add the Zone-Based Firewall configuration to the EdgeRouter:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Define the firewall rules that applies to the WAN zone.

set firewall name wan default-action drop

set firewall name wan rule 10 action accept
set firewall name wan rule 10 description established
set firewall name wan rule 10 state established enable
set firewall name wan rule 10 state related enable

set firewall name wan rule 20 action drop
set firewall name wan rule 20 description invalid
set firewall name wan rule 20 state invalid enable

3. Define the firewall rule that applies to the LAN zone.

set firewall name lan default-action accept

4. Define the firewall rule that applies to the LOCAL zone.

set firewall name local default-action accept

5. Define the firewall rules that apply to the GUEST zone for traffic destined for the LAN zone.

set firewall name guest-lan default-action drop

set firewall name guest-lan rule 10 action accept
set firewall name guest-lan rule 10 description webserver
set firewall name guest-lan rule 10 log disable
set firewall name guest-lan rule 10 protocol tcp
set firewall name guest-lan rule 10 destination port 80,443
set firewall name guest-lan rule 10 destination address 10.0.10.10

set firewall name guest-lan rule 20 action accept
set firewall name guest-lan rule 20 description established
set firewall name guest-lan rule 20 log disable
set firewall name guest-lan rule 20 protocol all
set firewall name guest-lan rule 20 state established enable
set firewall name guest-lan rule 20 state related enable

6. Define the firewall rule that applies to the GUEST zone for traffic destined for the LOCAL zone.

set firewall name guest-local default-action drop

7. Define the firewall rule that applies to the GUEST zone for traffic destined for the WAN zone.

set firewall name guest-wan default-action accept

8. Create the zone policies for the WAN zone and assign the zone to the eth0 interface.

set zone-policy zone wan default-action drop
set zone-policy zone wan from local firewall name local
set zone-policy zone wan from lan firewall name lan
set zone-policy zone wan from guest firewall name guest-wan
set zone-policy zone wan interface eth0
NOTE: The WAN (for example PPPoE) and LAN interfaces may differ in your setup.

9. Create the zone policies for the LAN zone and assign the zone to the eth1.10 interface.

set zone-policy zone lan default-action drop
set zone-policy zone lan from local firewall name local
set zone-policy zone lan from wan firewall name wan
set zone-policy zone lan from guest firewall name guest-lan
set zone-policy zone lan interface eth1.10

10. Create the zone policies for the GUEST zone and assign the zone to the eth1.20 interface.

set zone-policy zone guest default-action drop
set zone-policy zone guest from local firewall name local
set zone-policy zone guest from wan firewall name wan
set zone-policy zone guest from lan firewall name lan
set zone-policy zone guest interface eth1.20

11. Create the zone policies for the LOCAL zone.

set zone-policy zone local default-action drop
set zone-policy zone local from wan firewall name wan
set zone-policy zone local from lan firewall name lan
set zone-policy zone local from guest firewall name guest-local
set zone-policy zone local local-zone

12. Commit the changes and save the configuration.

commit ; save

Related Articles


Back to Top

EdgeRouter - How to Create a WAN Firewall Rule

EdgeRouter - Router on a Stick

EdgeRouter - VLAN-Aware Switch

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!