Objective

Validate that the zWAN Gateway Router correctly blocks specified traffic between LAN devices by creating individual Flow Classification rules for:

• Packet Matching (IP/Port based)
• DPI-based Application Control (e.g., SMB traffic)

Prerequisites

• Admin access to zWAN Director UI or device local UI.
• Two Windows devices connected to the z40 LAN subnet (wired on LAN00 or Wi-Fi on LAN05).
• Firewall and Flow Classification enabled on the device.

Test 1: Packet Matching Rule — Block Specific IP/Port Between LAN Devices

Steps

1. Baseline Connectivity Check

• From Windows Device A, confirm connectivity to Windows Device B on the target port (e.g., TCP 3389 for RDP).
• Use tools like ping, mstsc, or telnet for verification.

2. Create Packet Matching Rule

• Login to zWAN Director UI.
• Navigate: Security > Firewall > Rules tab.
• Click NEW RULE. The Flow Classification dialog opens.

General tab:

• Sequence number assigned automatically.
• Comment: “Block RDP TCP 3389 LAN devices”.
• Apply To: Routed and Bridged Packets.
• Action: DROP (silent block) or REJECT.
• Status: Enabled.

Packet Matching tab:

• Input Interface: Select LAN00 or LAN05 (based on device connectivity), leave NOT unchecked.
• Output Interface: Select same interface, leave NOT unchecked.
• Source Address (optional): IP of Device A.
• Destination Address: IP of Device B.

Protocol Matching tab:

• Protocol: TCP
• Destination Port: 3389

Leave DPI and Web Categories tabs empty.

• Click CREATE.

3. Validate Blocking

• From Device A, attempt RDP to Device B; connection should be blocked.
• Confirm other traffic (e.g., ping) works normally.

4. Review Logs

• Navigate to Security > Firewall Logs or Monitoring > Events tab.
• Confirm blocked packets log with correct IPs, ports, timestamp, and rule comment.

5. Persistence Check

• Reboot z40 if possible; verify rule and blocking persist.

Test 2: DPI-Based Application Control Rule — Block SMB Traffic

Steps

1. Baseline Connectivity Check

• On Device B, share a folder.
• From Device A, access the shared folder via \\DeviceB_IP or \\DeviceB_Hostname. Confirm access.

2. Create DPI SMB Block Rule

• Login to zWAN Director UI.
• Navigate: Security > Firewall > Rules tab.
• Click NEW RULE.

General tab:

• Sequence automatic.
• Comment: “Block SMB LAN traffic”.
• Apply To: Routed and Bridged Packets.
• Action: DROP or REJECT.
• Status: Enabled.

Packet Matching tab:

• Input Interface: Select LAN00 or LAN05.
• Output Interface: Same as Input.
• Leave source/destination empty unless restricting scope.

DPI tab:

• In Filter box, type smb.
• Select one or both: smbv1, smbv23.
• Leave other tabs empty.
• Click CREATE.

3. Validate Blocking

• From Device A, attempt to access Device B shared folder; connection should be blocked.
• Confirm other LAN traffic works normally.

4. Review Logs

• Check Firewall Logs or Monitoring > Events for SMB block entries with details.

5. Persistence Check

• Reboot device if possible; confirm blocking persists.

Notes & Tips

• Use Wi-Fi (LAN05) to simplify hardware requirements for LAN testing.
• Confirm Windows Firewall does not interfere.
• Sequence numbers are auto-assigned; order matters in rule evaluation.
• The NOT checkbox in interfaces inverts matching; leave unchecked for these tests.
• Adjust rule scope with source/destination IPs for targeted blocking if desired.