[MWAN] Lan to Lan feature improved #19940
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Preview URL: https://46d5ba65.preview.developers.cloudflare.com Files with changes (up to 15) |
Oxyjun
reviewed
Feb 12, 2025
| <br /> | ||
|
|
||
| Creating these policies to segment your network means LAN to LAN traffic can be allowed either locally or via Cloudflare's network. As a best practice for security, we recommend sending all traffic through Cloudflare's network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows. | ||
| As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows. |
Contributor
There was a problem hiding this comment.
Suggested change
| As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows. | |
| As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN-to-LAN traffic flows. |
Not sure if this is sensible, just a suggestion.
Oxyjun
reviewed
Feb 12, 2025
| Refer to [Magic WAN Connector deployment options](/reference-architecture/diagrams/sase/magic-wan-connector-deployment/) for a high-level explanation of the deployment options for Magic WAN Connector, as well as examples of network segmentation. | ||
| If you enable LAN to LAN traffic flows, communications can only be initiated from origin to destination — for example, LAN 1 to LAN 2 — and not the other way around. This is by design and to prevent potential exfiltration of information. This does not mean bidirectional communication on TCP is not possible. It only means that the origin is the only one authorized to initiate communications. | ||
|
|
||
| Unidirectional communication can be enabled for UDP and ICMP, but it is not available for TCP as it would break that protocol. |
Contributor
There was a problem hiding this comment.
Suggested change
| Unidirectional communication can be enabled for UDP and ICMP, but it is not available for TCP as it would break that protocol. | |
| Unidirectional communication can be enabled for UDP and ICMP, but it is not available for TCP, as it would break that protocol. |
Oxyjun
reviewed
Feb 12, 2025
| As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows. | ||
|
|
||
| Refer to [Magic WAN Connector deployment options](/reference-architecture/diagrams/sase/magic-wan-connector-deployment/) for a high-level explanation of the deployment options for Magic WAN Connector, as well as examples of network segmentation. | ||
| If you enable LAN to LAN traffic flows, communications can only be initiated from origin to destination — for example, LAN 1 to LAN 2 — and not the other way around. This is by design and to prevent potential exfiltration of information. This does not mean bidirectional communication on TCP is not possible. It only means that the origin is the only one authorized to initiate communications. |
Contributor
There was a problem hiding this comment.
Suggested change
| If you enable LAN to LAN traffic flows, communications can only be initiated from origin to destination — for example, LAN 1 to LAN 2 — and not the other way around. This is by design and to prevent potential exfiltration of information. This does not mean bidirectional communication on TCP is not possible. It only means that the origin is the only one authorized to initiate communications. | |
| If you enable LAN to LAN traffic flows, communications can only be initiated from origin to destination — for example, LAN 1 to LAN 2 — and not the other way around. This is by design and prevents potential exfiltration of information. This does not mean bidirectional communication on TCP is not possible. It only means that the origin is the only one authorized to initiate communications. |
Oxyjun
reviewed
Feb 12, 2025
| 7. From the drop-down menu **Origin (required)**, select your origin LAN. | ||
| 8. Specify a subnet for your first LAN in **Subnets**. | ||
| 9. In **Ports** specify the TCP/UDP ports you want to use. Valid ports range from `1` to `65535`. Zero (`0`) is not a valid port number. Add a comma to separate each of the ports or add a port range. For example, `2,5,6,9-14`. | ||
| 10. In **Destination (required) **, select the destination LAN and repeat the above process to configure it. |
Contributor
There was a problem hiding this comment.
Suggested change
| 10. In **Destination (required) **, select the destination LAN and repeat the above process to configure it. | |
| 10. In **Destination (required)**, select the destination LAN and repeat the above process to configure it. |
Oxyjun
reviewed
Feb 12, 2025
Comment on lines
+58
to
+61
| 1. **Any**: If **Any** is selected and you choose **Unidirectional**, the system will alert you that this will break TCP traffic. | ||
| 2. **TCP**: You can only select **Bidirectional**. | ||
| 3. **UDP**: The system defaults to **Bidirectional** but you can choose **Unidirectional**. | ||
| 4. **ICMP**: The system defaults to **Bidirectional** but you can choose **Unidirectional**. |
Contributor
There was a problem hiding this comment.
Could this be captured in a table? Something like:
| Selected protocol | Default | Changeable? |
|---|---|---|
| TCP | Bidirectional | ❌ |
| UDP | Bidirectional | ✅ |
| ICMP | Bidirectional | ✅ |
Oxyjun
approved these changes
Feb 12, 2025
Co-authored-by: Jun Lee <[email protected]>
…ions/network-segmentation.mdx Co-authored-by: Jun Lee <[email protected]>
…ions/network-segmentation.mdx Co-authored-by: Jun Lee <[email protected]>
jonesphillip
pushed a commit
that referenced
this pull request
Feb 12, 2025
* added lan to lan info * updated names and added port range * refined steps * refined text * added changelog entry * Apply suggestions from code review Co-authored-by: Jun Lee <[email protected]> * Update src/content/docs/magic-wan/configuration/connector/network-options/network-segmentation.mdx Co-authored-by: Jun Lee <[email protected]> * Update src/content/docs/magic-wan/configuration/connector/network-options/network-segmentation.mdx Co-authored-by: Jun Lee <[email protected]> * lan-to-lan --------- Co-authored-by: Jun Lee <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Closes PCX-14092
Documentation checklist