cloudflare · marciocloudflare · Feb 12, 2025 · Jan 20, 2025 · Jan 22, 2025 · Jan 23, 2025
@@ -5,6 +5,10 @@ productLink: "/magic-wan/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
+  - publish_date: "2024-12-12"
+    title: LAN Policy improvements for the Magic WAN Connector
+    description: |-
+      Magic WAN Connector LAN Policy now supports unidirectional traffic flows and port-ranges.
   - publish_date: "2024-12-17"
     title: Magic WAN Connector configurable health checks
     description: |-

@@ -5,7 +5,7 @@ title: Network segmentation
 
 import { Render, TabItem, Tabs } from "~/components";
 
-You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN to LAN traffic. These policies can be created for specific subnets, and link two LANs.
+You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN-to-LAN traffic. These policies can be created for specific subnets, and link two LANs.
 
 ```mermaid
 flowchart LR
@@ -29,9 +29,11 @@ _In the above example, the red path shows traffic that stays in the customer's p
 
 <br />
 
-Creating these policies to segment your network means LAN to LAN traffic can be allowed either locally or via Cloudflare's network. As a best practice for security, we recommend sending all traffic through Cloudflare's network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows.
+As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN-to-LAN traffic flows.
 
-Refer to [Magic WAN Connector deployment options](/reference-architecture/diagrams/sase/magic-wan-connector-deployment/) for a high-level explanation of the deployment options for Magic WAN Connector, as well as examples of network segmentation.
+If you enable LAN to LAN traffic flows, communications can only be initiated from origin to destination — for example, LAN 1 to LAN 2 — and not the other way around. This is by design and prevents potential exfiltration of information. This does not mean bidirectional communication on TCP is not possible. It only means that the origin is the only one authorized to initiate communications.
+
+Unidirectional communication can be enabled for UDP and ICMP, but it is not available for TCP, as it would break that protocol.
 
 The following guide assumes you have already created a site and configured your Connector. To learn how to create a site and configure your Connector, refer to [Configure hardware Connector](/magic-wan/configuration/connector/configure-hardware-connector/) or [Configure virtual connector](/magic-wan/configuration/connector/configure-virtual-connector/), depending on the type of Magic WAN Connector you have on your premises.
 
@@ -47,19 +49,26 @@ Follow the steps below to create a new LAN policy to segment your network. Only
 4. Go to **Network**, and scroll down to **LAN configuration**.
 5. Select **LAN policies** > **Create Policy**.
 6. In **Policy name**, enter a descriptive name for the policy you are creating.
-7. From the drop-down menu **LAN 1**, select your origin LAN.
-8. (Optional) Specify a subnet for your first LAN in **Subnets**.
-9. (Optional) In **Ports** specify the TCP/UDP ports you want to use. Add a comma to separate each of the ports.
-10. In **LAN 2**, select the destination LAN and repeat the above process to configure it.
-11. (Optional) Select the type of traffic. You can choose **TCP**, **UDP**, and **ICMP**. You can also select **Any** to choose all types of traffic.
-12. In **Traffic path**, select **Forwarded via Cloudflare** if you want traffic to be forwarded to Cloudflare to be processed. If you do not select this option, traffic will flow locally, in your premises without passing through Cloudflare.
-13. Select **Create policy**.
+7. From the drop-down menu **Origin (required)**, select your origin LAN.
+8. Specify a subnet for your first LAN in **Subnets**.
+9. In **Ports** specify the TCP/UDP ports you want to use. Valid ports range from `1` to `65535`. Zero (`0`) is not a valid port number. Add a comma to separate each of the ports or add a port range. For example, `2,5,6,9-14`.
+10. In **Destination (required)**, select the destination LAN and repeat the above process to configure it.
+11. In **Protocols**, select the type of traffic you want to allow. You can choose **TCP**, **UDP**, and **ICMP**. You can also select **Any** to choose all types of traffic.
+12. In **Traffic direction** you can choose between bidirectional traffic (the default) and unidirectional traffic. What you can choose depends on the protocol that you chose for the policy:
+	1. **Any**: If **Any** is selected and you choose **Unidirectional**, the system will alert you that this will break TCP traffic.
+	2. **TCP**: You can only select **Bidirectional**.
+	3. **UDP**: The system defaults to **Bidirectional** but you can choose **Unidirectional**.
+	4. **ICMP**: The system defaults to **Bidirectional** but you can choose **Unidirectional**.
+13. In **Traffic path**, select **Forwarded via Cloudflare** if you want traffic to be forwarded to Cloudflare to be processed. If you do not select this option, traffic will flow locally, in your premises without passing through Cloudflare.
+14. Select **Create policy**.
+
+The new policy will ensure that traffic between the specified LANs flows locally, bypassing Cloudflare.
 
 </TabItem> <TabItem label="API">
 
 <Render file="connector/account-id-api-key" />
 
-Create a `POST` request [using the API](/api/resources/magic_transit/subresources/sites/subresources/acls/methods/create/) to create a network policy.
+Create a `POST` request [using the API](/api/operations/magic-site-acls-create-acl) to create a network policy.
 
 Example:
 
@@ -153,7 +162,7 @@ The new policy will ensure that traffic between the specified LANs flows locally
 
 <Render file="connector/account-id-api-key" />
 
-Create a `PUT` request [using the API](/api/resources/magic_transit/subresources/sites/subresources/acls/methods/update/) to edit a network policy.
+Create a `PUT` request [using the API](/api/operations/magic-site-acls-update-acl) to edit a network policy.
 
 Example:
 
@@ -214,7 +223,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}
 
 <Render file="connector/account-id-api-key" />
 
-Create a `DELETE` request [using the API](/api/resources/magic_transit/subresources/sites/subresources/acls/methods/delete/) to delete a network policy.
+Create a `DELETE` request [using the API](/api/operations/magic-site-acls-delete-acl) to delete a network policy.
 
 Example: