Network segmentation
You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN to LAN traffic. These policies can be created for specific subnets, and link two LANs.
In the above example, the red path shows traffic that stays in the customer’s premises (allowing direct communication between LAN 3 and LAN 4), and the orange path shows traffic that goes to Cloudflare before returning to the customer’s premises (processing traffic between LAN 1 and LAN 2 in Cloudflare).
Creating these policies to segment your network means LAN to LAN traffic can be allowed either locally or via Cloudflare’s network. As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows.
The following guide assumes you have already created a site and configured your Connector. To learn how to create a site and configure your Connector, refer to Configure hardware Connector or Configure virtual connector, depending on the type of Magic WAN Connector you have on your premises.
Create a policy
Follow the steps below to create a new LAN policy to segment your network. Only the fields marked required are mandatory.
- Log in to the Cloudflare dashboard, and select your account.
- Select Magic WAN > Sites.
- Select the site you want to configure > Edit.
- Go to Network, and scroll down to LAN configuration.
- Select LAN policies > Create Policy.
- In Policy name, enter a descriptive name for the policy you are creating.
- From the drop-down menu LAN 1, select your origin LAN.
- (Optional) Specify a subnet for your first LAN in Subnets.
- (Optional) In Ports specify the TCP/UDP ports you want to use. Add a comma to separate each of the ports.
- In LAN 2, select the destination LAN and repeat the above process to configure it.
- (Optional) Select the type of traffic. You can choose TCP, UDP, and ICMP. You can also select Any to choose all types of traffic.
- In Traffic path, select Forwarded via Cloudflare if you want traffic to be forwarded to Cloudflare to be processed. If you do not select this option, traffic will flow locally, in your premises without passing through Cloudflare.
- Select Create policy.
Create a POST
request using the API to create a network policy.
Example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "acl": { "description": "<POLICY_DESCRIPTION>", "forward_locally": true, "lan_1": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME>", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "lan_2": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "name": "<POLICY_NAME>", "protocols": [ "tcp" ] }}'
If successful, you will receive a response like the following:
{ "errors": [], "messages": [], "result": { "acls": [ { "description": "<POLICY_DESCRIPTION>", "forward_locally": true, "id": "023e105f4ecef8ad9ca31a8372d0c353", "lan_1": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME>", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "lan_2": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME>", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "name": "<POLICY_NAME>", "protocols": [ "tcp" ] } ] }, "success": true
}
Take note of the id
parameter, as you will need it to edit or delete network policies.
The new policy will ensure that traffic between the specified LANs flows locally, bypassing Cloudflare.
Edit a policy
- Log in to the Cloudflare dashboard, and select your account.
- Select Magic WAN > Sites.
- Select the site you want to configure > Edit.
- Go to Network, and scroll down to LAN configuration.
- Select LAN policies.
- Select the policy you need to edit > Edit.
- Make your changes, and select Update policy.
Create a PUT
request using the API to edit a network policy.
Example:
curl --request PUT \https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_id} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{ "acl": { "description": "<POLICY_DESCRIPTION>", "forward_locally": true, "lan_1": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME>", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "lan_2": { "lan_id": "<LAN_ID>", "lan_name": "<LAN_NAME>", "ports": [ 1 ], "subnets": [ "192.0.2.1" ] }, "name": "<POLICY_NAME>", "protocols": [ "tcp" ] }}'
Delete a policy
- Log in to the Cloudflare dashboard, and select your account.
- Select Magic WAN > Sites.
- Select the site you want to configure > Edit.
- Go to Network, and scroll down to LAN configuration.
- Select LAN policies.
- Select the policy you need to edit > Edit.
- Select Delete.
- Select I understand that deleting a policy is permanent in the dialog box > Delete.
Create a DELETE
request using the API to delete a network policy.
Example:
curl --request DELETE \https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_identifier} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"