Cloudflare Docs
Magic WAN
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Network segmentation

You can define policies in your Connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN to LAN traffic. These policies can be created for specific subnets, and link two LANs.

Creating these policies to segment your network means LAN to LAN traffic can be allowed either locally or via Cloudflare’s network. As a best practice for security, we recommend sending all traffic through Cloudflare’s network for Zero Trust security filtering. Use these policies with care and only for scenarios where you have a hard requirement for LAN to LAN traffic flows.

The following guide assumes you have already created a site and configured your Connector. To learn how to create a site and configure your Connector, refer to Configure hardware Connector or Configure virtual connector, depending on the type of Magic WAN Connector you have on your premises.

​​ Create a policy

Follow the steps below to create a new LAN policy to segment your network. Only the fields marked required are mandatory.

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Magic WAN > Sites.
  3. Select the site you want to configure > Edit.
  4. Go to Network, and scroll down to LAN configuration.
  5. Select LAN policies > Create Policy.
  6. In Policy name, enter a descriptive name for the policy you are creating.
  7. From the drop-down menu LAN 1, select your origin LAN.
  8. (Optional) Specify a subnet for your first LAN in Subnets.
  9. (Optional) In Ports specify the TCP/UDP ports you want to use. Add a comma to separate each of the ports.
  10. In LAN 2, select the destination LAN and repeat the above process to configure it.
  11. (Optional) Select the type of traffic. You can choose TCP, UDP, and ICMP. You can also select Any to choose all types of traffic.
  12. Select the option to forward traffic locally or to forward traffic over Cloudflare’s network.
  13. Select Create policy.

Create a POST request using the API to create a network policy.

Example:

curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"acl": {
"description": "<POLICY_DESCRIPTION>",
"forward_locally": true,
"lan_1": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME>",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"lan_2": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"name": "<POLICY_NAME>",
"protocols": [
"tcp"
]
}
}'

If successful, you will receive a response like the following:

{
"errors": [],
"messages": [],
"result": {
"acls": [
{
"description": "<POLICY_DESCRIPTION>",
"forward_locally": true,
"id": "023e105f4ecef8ad9ca31a8372d0c353",
"lan_1": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME>",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"lan_2": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME>",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"name": "<POLICY_NAME>",
"protocols": [
"tcp"
]
}
]
},
"success": true
}

Take note of the id parameter, as you will need it to edit or delete network policies.

The new policy will ensure that traffic between the specified LANs flows locally, bypassing Cloudflare.

​​ Edit a policy

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Magic WAN > Sites.
  3. Select the site you want to configure > Edit.
  4. Go to Network, and scroll down to LAN configuration.
  5. Select LAN policies.
  6. Select the policy you need to edit > Edit.
  7. Make your changes, and select Update policy.

Create a PUT request using the API to edit a network policy.

Example:

curl --request PUT \
https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_id} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
"acl": {
"description": "<POLICY_DESCRIPTION>",
"forward_locally": true,
"lan_1": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME>",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"lan_2": {
"lan_id": "<LAN_ID>",
"lan_name": "<LAN_NAME>",
"ports": [
1
],
"subnets": [
"192.0.2.1"
]
},
"name": "<POLICY_NAME>",
"protocols": [
"tcp"
]
}
}'

​​ Delete a policy

  1. Log in to the Cloudflare dashboard, and select your account.
  2. Select Magic WAN > Sites.
  3. Select the site you want to configure > Edit.
  4. Go to Network, and scroll down to LAN configuration.
  5. Select LAN policies.
  6. Select the policy you need to edit > Edit.
  7. Select Delete.
  8. Select I understand that deleting a policy is permanent in the dialog box > Delete.

Create a DELETE request using the API to delete a network policy.

Example:

curl --request DELETE \
https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/acls/{acl_identifier} \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>"