UTM Is Routing VLANs Together

Hi, Corey, and welcome to the UTM Community!

Are you sure that it's not your switch "routing" the traffic?  You didn't say what you're doing to test this...

Cheers - Bob

Thanks Bob! These are just a couple of things I have observed. 

When I am on a different VLAN as another machine I can't ping or access it, but if the machine has a web interface I can get to the login screen.

If I turn the Sophos VM off I can no longer get to the web interface of a machine on a different VLAN. 

I changed the WebAdmin access to a single VLAN in the UTM . I can only  access the login when I am on the same VLAN.  

I've really just been playing around with it. I am curious about it as much as anything.

"if the machine has a web interface I can get to the login screen." - The traffic is going via the Web Filtering proxy.  My guess is that you're using the Proxy in Transparent mode, so go to the 'Misc' tab of 'Web Filtering Options' and put the VLAN "(Network)" objects into the Destination section of the 'Transparent Mode Skiplist' and don't select 'Allow HTTP/S traffic for listed hosts/nets'.  So, if you have Guest, DMZ and Internal, you would likely want to put "DMZ (Network)" and "Internal (Network)" in the Skiplist and then make a firewall rule allowing 'Internal (Network) -> Any -> DMZ(Network)' traffic.

You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, send me an email requesting it to my member name here @ MediaSoftUSA.com - please include your member name here in your email as this offer is only for members.  I also maintain a version auf Deutsch translated by fellow member hallowach when he and I did a major revision in 2013.

Cheers - Bob

I'm having the same issue as the OP.

I have several vlans set up in utm and my switch.  One of these vlans (lets called it vlan4) is on a UTM interface that's connected to nothing (literally, nothing plugged in at the moment).

I can type vlan4's interface ip address on a pc on the default vlan (or any other vlan) and it will open up the webadmin login page.

Web filtering is turned off, I've even set up an explicit firewall rule at position 1 to block anything from any other interface to vlan4 for all ports yet I can still open that page.  This suggests a some other permit rule is allowing this before the firewall rules are applied.

I'm confused how to proceed to troubleshoot this further.  What I'd like is webadmin should only be accessible when subnets match.. Ie while on the vlan 4 subnet, connected to vlan4 interface ip.  Webadmin access from any other vlan should not be possible.

Thoughts?  Thanks!

BAlfson, Sent you a private message some months back with my email address.  Hoping to get a copy of this document you reference above.

Check #2 in Rulz to see that your firewall rule is trumped by the firewall rules created when you configure 'Allowed Networks' in 'WebAdmin Settings'.

Cheers - Bob
PS Just found your message and sent the document off.  I usually respond within a few days, so if anyone else doesn't get a quick response, please knock again. ;-)

Bob,

Thanks.  I just resent you the pm  - wrong email address entered initially.  Sorry!!

Please clarify what you mean by your statement.

In allowed networks for webadmin settings I have the untagged network and the vlan (down to 1 for now) entered.  Looking at ALL firewall rules, there doesn't appear to be any automatic entries being made. The allowed networks are of the format network object (x.y.z.0/24).

The automatic rules created by WebAdmin for the Reverse Proxy, User Portal and WebAdmin are not visible in WebAdmin.

Cheers - Bob

It looks like the only way to block vlan's access to webadmin is by not having that vlan in the webadmin permission list.  I suppose it makes some sense that if a network (host, etc) is in the last, it should be accessible from _anywhere_ on the network.  Good way to keep from getting locked out.  I suppose this might be the reason this behavior is the way it is.

It looks like the only way to block vlan's access to webadmin is by not having that vlan in the webadmin permission list.  I suppose it makes some sense that if a network (host, etc) is in the last, it should be accessible from _anywhere_ on the network.  Good way to keep from getting locked out.  I suppose this might be the reason this behavior is the way it is.

I always activate at least one Remote Access method and then include "myusername (User Network)" in 'Allowed Networks'.  I like to use SSL VPN as that enables me to login to the VPN from inside or outside the network.  In general, I prefer to limit WebAdmin access to specific IPs instead of entire subnets.

Cheers -Bob

For extra security, instead of the user "myusername" in 'Allowed Administrators', put an alternate user like "myadminuser."