I have two interfaces on NSA 220 configured as follows
Real interface X2
192.168.1.1/24
LAN Zone
Virtual interface X2:V1
192.168.2.1/24
VLAN ID 100
LAN Zone
In this configuration computers in any of the subnets above can successfully reach each others, what I need to do is to block traffic between these two subnets?
How do I do this?
By default the LAN Zone has Interface Trust enabled, which means all interfaces within the same Zone trust each other (pass traffic). Go to Network, Zones, and Edit the Zone in question (LAN) and remove the checkmark from Allow Interface Trust. This will remove the auto-added LAN<->LAN Allow ANY/ANY/ANY rule.
Alternatively if these are NOT really both part of the same Zone (security context) then either change one of the interfaces to a different Zone (eg. DMZ) or create a new Zone. By default traffic between Zones is only allowed from "more trusted" to "less trusted" (but not the other way. Eg. from LAN to DMZ but not DMZ to LAN).
By default, communication intra-zone is allowed. You just enter in Firewall->Access rules, select LAN->LAN and unmark the last rule wich allow intra-zone connections.
In my opinion, if you don't want communication at all, put X2 and X2:V1 in different zones.
