New interface and how to block traffic from lan

Edgar, it sounds like you may be using the "Any" Network object instead of the "Internet" object in your firewall rules.  You shouldn't need to explicitly block traffic between the two subnets as it will be default dropped if not explicitly allowed.

Also, pinging is regulated on the 'ICMP' tab of 'Firewall' and is not included in the "Any" service object.  I thought that the devs changed the selections 'Gateway forwards pings/traceroute' to not include ping/traceroute between all UTM interfaces, just those that go out an interface with a default gateway.

Cheers - Bob

Hi,

Even using Internet object there is still traffic between LAN interface and the new interface. Only one masquerade rule defined new_interface->WAN

What is wrong?

Regards

Please insert pictures of the relevant configurations open in Edit mode.

Cheers - Bob

Hi,

this is the rule

Any idea?

Regards

Use "Internal (Network)" as the source instead of the "Internal (Address)" object.

Cheers - Bob

I changed to network and  Reject but same result

Web filtering being used?

Check out my Architecture document in the Wiki section.

Generally, the proxies are good at content and reputation filtering, and the firewall layer is good at source-destination filtering, but traffic never flows through both.  Filters applied at the proxy level only apply to that particular proxy, so proxy-level blocks cannot ensure a global block.   The workaround is to create DNAT rules to create an approximation of firewall:

• source-actual_destination to allow
• source-deadend_destination to block

The deadend destination either needs to be a non-existent address, such as an unused IP in your DMZ address range, or an inherently-unreachable address.   For example, if you are using only 192.168.*.* internally, then routing unwanted traffic to 172.16.31.1 should create an inherently-unreachable deadend.  My testing indicates that UTM responds to 127.0.0.*, so loopback addresses do not seem appropriate for the deadend address.

Country blocking is also applied globally, but I have not yet figured out all of the details for Country Blocking Exceptions.   They at least apply to Firewall, and may apply to WAF.   For WebFiltering, you need to configure a URL-checking exception in WebFiltering to achieve the effect of the Country Blocking Exception, because the country blocking exceptions are ignored by the Web Filter proxy.

Edgar, see #2 in Rulz and consult my comment above about pings - you can't block pings allowed on the 'ICMP' tab, but you can allow pings not allowed on the 'ICMP' tab.

You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

Cheers - Bob