Firewall rule to deny access from an IP range to a specific device

Question

To begin I don't really know if it's the correct place for this question but as the serverFault is defined as For system and network administrators, I'll give it a shot.

I have a firewall (Zywall 110). And I want to deny the access of a specific resource (in LAN) if the local IP is coming from a specific range (in the same LAN).

So I went in the configuration > Security Policy > Policy Control and added a new rule

FROM : LAN
TO : LAN
SOURCE : IP_RANGE(192.168.1.50 - 192.168.1.100)
DESTINATION : IP ADDRESS (192.168.1.3)
SERVICE : ANY
USER : ANY
SCHEDULE : NONE
ACTION : DENY
LOG : LOG

And tried from a machine in the range to access 192.168.1.3 and it's possible. I also tried to replace LAN by ANY, same problem. And the log is not even created.

The only thing that is working is blocking the whole access from this specific range. So when I put ANY everywhere except for the source. The machine don't have access to the WAN but still have access to everything in the LAN...

I noticed that this license is not actived

Either this firewall only works to block the WAN access or it is a non-activated license problem.

Can someone confirm this? Or am I just missing something?

Answer 1

In most networks inner LAN traffic is not routed through the router/firewall, clients communicate with each other directly. So if you want to deny access to 192.168.1.3, you should do so at 192.168.1.3 or make sure the traffic is routed through the firewall (if switches etc. are involved) before the firewall rules can apply.

UTM stands for "Unified Threat Management" which involves phishing protection, centralization of configuration etc. and is an extra feature you don't need for your task. What you want to do is a simple IP-based rule, it has nothing to do with the license.

In short: Your traffic doesn't get filtered because it never goes through the firewall.