How to structure firewall zone, and when to create a new one?

Ahoy friends.
RIght now i want to rebuild my whole network structure. It was always growing and growing during the years, and same for my OpenWrt config, which is basically being carried over all the stable releases since 18.07.

Currently i have around 150 clients in my network, VMs for internet services like game servers etc., storage servers, iSCSI servers, VPN servers, guest clients, trusted clients, CCTV traffic.
Furthermore i got 2 OpenVPN instances running on my OpenWrt device, for Hub and Spoke site interconnect to my second house in another location, and also the 2nd instance for general purpose VPN access from outside.
In addition to that i a management subnet and vlan.
I have almost 20 vlans in use in total.

But unfortunately, i only have 2 firewall zones up to now, lan and wan.
So thats my question, when is it useful to create multiple firewall zones, and what are the great benefits? How would you guys segment the network in zones, or does it even matter for "internal" traffic in your opinion? I am open for any kind of advice, in order to improve my "new" shiny network!!

Thanks in advance.

It all depends on your objectives.

Fundamentally, different firewall zones allow you to apply different sets of global rules to your networks. Other firewall rules can always be created to provide more granular control, of course.

One example: masquerading is applied on a zone basis, so any networks that require masquerading would be in their own zone or in a zone that has only networks that need masquerading.

Another example: if you have multiple networks that should all be forwarded to each other without (global) restrictions, you can put them together in a zone that accepts forwarding -- this will allow all networks in the zone to connect to each other. OTOH, you could group networks that should not be able to forward to each other in a zone and make the forward rule drop or reject.

Yet another one would be input (to the router itself) -- typically only trusted/management networks should have accept for input. So you want untrusted (or non-management) networks to be in a zone that drops input, but you'll probably also want rules to allow dhcp and dns to the router itself from those zones.

More granular firewall rules can be created with zones, of course, or individual subnets or even individual hosts.

Grouping in a zone basically allows a global set of rules to be applied easily. So it all depends on what you are trying to achieve.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.