In NetMan we support two firewall zone choices when setting up a VLAN on a router. There are three zones we configure on a router.

Untrust Zone

The Untrust zone is hard coded to the WAN/Outside interface on a router. This is usually the interface on a router that faces the Internet, but may also be the interface that faces an MPLS WAN for customers with a private WAN deployment.

All traffic coming from the Untrust zone is blocked by default except for remote management of the router.

Exceptions can be opened up in NetMan to permit traffic from the Untrust zone to the Trust zone.

Exceptions cannot be opened to the Guest zone.

Trust Zone

The Trusted Network option is the default for any LAN/Inside interface on a router. It has stateful inspection of outgoing traffic, which means that the router will dynamically allow return traffic from the Untrust zone as long as it was initiated from the Trust zone.

You can permit traffic from the Untrust zone to the Trust zone and vice-versa to facilitate remote access to servers and other services.

You can also add explicit deny rules if you want to prevent stateful inspection on a particular device, for example a sensitive server that should never talk to anything on the Internet except specific hosts or ports.

Guest Network

The Guest Network option is for providing guest users access to a segregated network that only has access to the Internet. It has stateful inspection of outgoing traffic, which means that the router will dynamically allow return traffic from the Untrust zone as long as it was initiated from the Guest zone.

Traffic between the Guest and Trust zones is blocked.

Did this answer your question?