Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 5844 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow any service vom particular network? Currently ends in default drop

noviceiii

Dear all

I have created a new network "IoT".
It should become the home for all devices I don't trust in my network. Such as playstation, weather station, radio...

I would like to allow all outbound traffic from that particular IoT network. 
But currently all outbound traffic runs into a default drop on the firewall log.

The blocking happens with firewall rule #1 "IoT (Network) -> any -> External (Network). 
However, If I set:
The blocking happens with firewall rule #1 "IoT (Network) -> any -> Any, it is working.

Of course, if I set the allowed destination network to "Any Network", I have traffic in my regular network. This I would like to avoid.

Could somebody help me with it?

 

 

Kind regards

Novice



This thread was automatically locked due to age.
  • 0

    To clear something:

    Rule 1 should not exist, no traffic is going to External Wan but through.

    I dont get the question very clear. Anyway if you want traffic from one network and not from other, you should define different networks ranges. Example (1) 192.168.2.0/24 (2) 192.168.3.0/24. In this case an extra interface or VLAN is required.

    But lets not complicate the things.

    Define those devices as hosts with IP Addresses an maybe create a group "lot" with those hosts

    One Rule in the top for the Group "lot" should be sufficent

  • 0 in reply to Ol Deda

    Thank you for the reply and kind help.

    I do have different network ranges 192.168.3.0/24 and 192.168.50.0/24. Both are on different VLANs.

    However, I have figured out meanwhile what was "wrong"... 
    I did test the setting by using ping. This doesn't seem to be affected from the firewall rules. It is managed on the Firewall -> ICMP and dominant over the remaining firewall rules.
    So, no matter what I have set on the firewall, I always got a ping response. 

    Yes. facepalm.

    Greetings

    n3

  • 0

    You want the traffic selector to be 'IoT (Network) -> any -> Internet IPv4'.  The 'External (Network)' object includes very little - hover over it with your mouse and you will see.

    Yes, ping is special.  Refer to #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    thank you both. I is now working as intended.

     

    I see, I have a confusion about the service "External(Network)" vs "Internet IPv4".

    If I got it right now, it says:

    - External (Network) is the interface where traffic goes through; manly used in NAT settings
    whereas
    - "Internet IPv4" ist the destination network (public) as such; manly used in firewall settings

    ?

     

    Greetings

    N3

  • 0 in reply to noviceiii

    I've never found a use for the "External (Network)" object.  I always use the "(Address)" objects created when you define an Interface or Additional Addresses.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML