Network segmentation

You can define policies in your Connector to allow traffic to flow between your LANs without it leaving your local premises. These policies can be created for specific subnets, and link two LANs.

Creating these policies to segment your network means traffic will flow locally and bypass Cloudflare. As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows.

The following guide assumes you have already created a site and configured your Connector. To learn how to create a site and configure your Connector, refer to Configure hardware Connector or Configure virtual connector, depending on the type of Magic WAN Connector you have on your premises.

Create a policy

Follow the steps below to create a new LAN policy to segment your network. Only the fields marked required are mandatory.

Log in to the Cloudflare dashboard, and select your account.
Select Magic WAN > Sites.
Select the site you want to configure > Edit.
Go to Network, and scroll down to LAN configuration.
Select LAN policies > Create Policy.
In Policy name, enter a descriptive name for the policy you are creating.
From the drop-down menu LAN 1, select your origin LAN.
(Optional) Specify a subnet for your first LAN in Subnets.
(Optional) In Ports specify the TCP/UDP ports you want to use. Add a comma to separate each of the ports.
In LAN 2, select the destination LAN and repeat the above process to configure it.
(Optional) Select the type of traffic you want to keep local. You can choose TCP, UDP, and ICMP. You can also select Any to choose all types of traffic.
Select Create policy.

Create a POST request using the API to create a network policy.

Example:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{  "acl": {    "description": "<POLICY_DESCRIPTION>",    "forward_locally": true,    "lan_1": {      "lan_id": "<LAN_ID>",      "lan_name": "<LAN_NAME>",      "ports": [        1      ],      "subnets": [        "192.0.2.1"      ]    },    "lan_2": {      "lan_id": "<LAN_ID>",      "lan_name": "<LAN_NAME",      "ports": [        1      ],      "subnets": [        "192.0.2.1"      ]    },    "name": "<POLICY_NAME>",    "protocols": [      "tcp"    ]  }}'

If successful, you will receive a response like the following:

{  "errors": [],  "messages": [],  "result": {    "acls": [      {        "description": "<POLICY_DESCRIPTION>",        "forward_locally": true,        "id": "023e105f4ecef8ad9ca31a8372d0c353",        "lan_1": {          "lan_id": "<LAN_ID>",          "lan_name": "<LAN_NAME>",          "ports": [            1          ],          "subnets": [            "192.0.2.1"          ]        },        "lan_2": {          "lan_id": "<LAN_ID>",          "lan_name": "<LAN_NAME>",          "ports": [            1          ],          "subnets": [            "192.0.2.1"          ]        },        "name": "<POLICY_NAME>",        "protocols": [          "tcp"        ]      }    ]  },  "success": true
}

Take note of the id parameter, as you will need it to edit or delete network policies.

The new policy will ensure that traffic between the specified LANs flows locally, bypassing Cloudflare.

Edit a policy

Log in to the Cloudflare dashboard, and select your account.
Select Magic WAN > Sites.
Select the site you want to configure > Edit.
Go to Network, and scroll down to LAN configuration.
Select LAN policies.
Select the policy you need to edit > Edit.
Make your changes, and select Update policy.

Create a PUT request using the API to edit a network policy.

Example:

curl --request PUT \
--url https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_id} \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{  "acl": {    "description": "<POLICY_DESCRIPTION>",    "forward_locally": true,    "lan_1": {      "lan_id": "<LAN_ID>",      "lan_name": "<LAN_NAME>",      "ports": [        1      ],      "subnets": [        "192.0.2.1"      ]    },    "lan_2": {      "lan_id": "<LAN_ID>",      "lan_name": "<LAN_NAME>",      "ports": [        1      ],      "subnets": [        "192.0.2.1"      ]    },    "name": "<POLICY_NAME>",    "protocols": [      "tcp"    ]  }}'

Delete a policy

Log in to the Cloudflare dashboard, and select your account.
Select Magic WAN > Sites.
Select the site you want to configure > Edit.
Go to Network, and scroll down to LAN configuration.
Select LAN policies.
Select the policy you need to edit > Edit.
Select Delete.
Select I understand that deleting a policy is permanent in the dialog box > Delete.

Create a DELETE request using the API to delete a network policy.

Example:

curl --request DELETE \
--url https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_identifier} \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \

Network segmentation

​​ Create a policy

​​ Edit a policy

​​ Delete a policy

Create a policy

Edit a policy

Delete a policy