This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I deny inter-VLAN routing

I have the following Network topology

WAN -> eth1 
Internal -> eth0 (default VLAN untagged) 10.10.10.0/24
Internal2 -> eth2 (VLAN 10 untagged) 10.10.20.0/24

On the switch, I simply have dedicated untagged ports for VLANs for the respective networks. My issue is I'm trying to isolate the internal networks from each other. I want to deny routing from Internal to Internal2 and vice-versa.

I've tried adding a No NAT rule from one network to the other but that didn't work. I also tried adding a firewall rule to drop packets from one network to the other and again i can still access it. I'm sure I'm missing something obvious that someone can point out.

 



This thread was automatically locked due to age.
Parents
  • there must be a firewall rule allowing traffic between internal and internal2.

    possible this FW-rule ist created automatically.

    select "show all" to check this.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • There is no automatic firewall rule that would indicate that. The only thing that is there is some DNAT port forwarding rules to specific IPs

    There is a firewall rule added by the installation wizard:
    Internal -> Any Service -> Any Network

    I thought that rule was what was doing the routing, so I added an explicit drop (and I tried reject) action rule before the above rule:
    Internal -> Any Service -> Internal2

  • ping is handled separately ... configure somewhere at firewall/ICMP settings

    also HTTP Proxy may forward port80 traffic without FW-Rule.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • As Perry said, if you allow ICMP trough UTM no firewall rule will block it. Check https://community.sophos.com/kb/hu-hu/121415. If you are passing ICMP through, do your tests using any other protocol as any ICMP will be allowed.

    Sophos UTM blocks everything unless specifically allowed, so you you actually don't need a rule to block this access.

    You are right about the default created rule, as it would allow endpoints on the "Internal" network to access endpoints on the "Internal2" network, but not the other way around. But you have taken care of that already.

    Also check you masquerade NAT rule and make sure it masquerades only to external interfaces.

    Regards,

    Giovani

  • I'll need to go back onsite to fully test, but can you explain the masquerade NAT rule? I currently have Any -> WAN (interface), would I need to change that?

  • Nope, that's good.

    Unless you have another firewall rule allowing those networks to talk to each other, I don't see how this could be happening. Is the UTM the default gateway for both networks?

    Regards,

    Giovani

  • Yes both internal networks have their respective gateways as the IP defined in the Sophos i.e. 10.10.10.1 and 10.10.20.1

    I think I might have had the HTTP Proxy on earlier when I was testing. I'll have to try again to be sure, since I don't have a computer on the 2nd network at the moment.

  • Yes, if you have Web Protection enabled and what is passing is HTTP/S traffic, then that's it, as the traffic will be relayed by the proxy to the other network. You'll have to block that access through Web Protection policies if that's the case.

    Regards,

    Giovani

  • Hi, Perry, and welcome to the UTM Community!

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Perry, and welcome to the UTM Community!

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data