Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 15947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal network is accessible from guest WiFi

TimBenkert

Hello,


I have an issue with the following setup:

- 1x Sophos SG125w an 2x AP 55C

- 1 internal network (192.168.30.0/24) with the interfaces eth0, eth2, eth4-7 and wlan1-4 bridged into it. wlan 1 is radiated by SG125w and both APs, while wlan2-4 are radiated by only one of the hardware devices. The two APs have an IP from that internal network (192.168.30.253 and 192.168.30.252, 192.168.30.254 is the SG125w). wlan1-4 are bridged into AP LAN.

- 1 guest network which has its own interface on the SG125w but this a virtual interface. There is no bridge on this interface. Guest network is wlan0 and it is a seperated zone.

- Standard Proxy is on for the internal network, it is not configured for the guest network. Under Web Protection -> Filtering Options -> Transparent Mode Skip List the internal network is listed under Destinations, the checkbox "Allow HTTP/S traffice for listed hosts/nets" is unticked.

- One Firewall Rule allowing Guest network->any service->Any IP address.


A client from the guest network can now connect network drives and access data on the internal network if the user puts in the right credentials. This was not the plan but I don't see the mistake in my configuration. If the client would have a VPN connection into the internal network then it should work (it does), but without there should be no accesebility from the guest network to the internal network.

Pleas help!


Regards

Tim



This thread was automatically locked due to age.
  • 0

    Hi Tim,

    If you are trying to avoid communication between the WiFi user and the bridge LAN, please enable client isolation found under wireless network> Advance. Clients within a network usually can communicate with one another. If you want to prevent this, for example in a guest network, select Enabled from the drop-down list. PFA screenshot:

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hello Sachin,

    Thank you very much for your reply.
    I did that already and the problem still exists and I don't know if this is the right solution to my question.
    Your are right that I don't want the clients within the guest network to communicate with each other. That is why the checkbox was ticked already. But guests should be allowed to communicate over the SG125w appliance to the internet wherever they like to go but not into my internal network.

    Just to get that straight, the internal network has clients connected to it by wire but on the two AP55Cs the internal network is radiated via WiFi as well. So I want clients within that internal WiFi to be able to communicate with the wired clients and vice versa, while guests in the guest wlan shouldn't be able to do anything in the internal network.


    Regards

    Tim

  • 0 in reply to TimBenkert

    you need some firewall rules for that:


    first rule guest_wlan -> internal_network drop

    then guest_wlan -> internet allow


    also i would prefer to make a seperate http proxy profile for guest_wlan so you can have different rulesets for internal users and guest users..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to TimBenkert

    Hi, Tim, and welcome to the UTM Community!

    As you know now, your newbie mistake was the firewall rule allowing the Guest WLAN to "Any" instead of "Internet."  As zaphod suggested, you will want to have a separate Web Filtering Profile for your guests.

    Also, you might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, send me an email requesting it to my member name here @ MediaSoftUSA.com - please include your member name here in your email as this offer is only for members.  I also maintain a version auf Deutsch translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML