Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 41 subscribers
  • Views 3574 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Limit device access to specific domains and IPs

C F

Hi,

I’m using XG for a week now on my home network after switching from UTM which I used for 13years. I’m pleasantly surprised how nice XG is, in my case it’s much faster than UTM was but I’m still learning the new logic.
Right now I would like to limit the internet access of my home devices /NAS, Smart TV, Receiver, etc./ to the necessary domains and I’m having problems doing that.
On UTM I used web filtering, with a default block everything filter action, I watched the live log while for example trying the watch a clip on Youtube on my Smart TV and allowed the domains it needed to work.

On XG I tried to achieve the same with firewall rules but for some reason I can’t get it working. I created a rule like this:


Name: Device block
Action: Drop
Source zone: Home Lan
Source devices: Chromecast, Denon X2300, Samsung SmartTv, NAS, etc.
Destination zone: WAN
Destination networks and services: Any

Then I added an exclusion

Source zone: Home Lan
Source devices: Chromecast, Denon X2300, Samsung SmartTv, NAS, etc.
Destination zone: WAN
Destination networks: added the same URLs I used on UTM as FQDN hosts

What happens is that on the TV the Youtube app starts up, I can see the clips, I can browse and search but if I try to watch a video I only receive a black loading screen and nothing happens. Basically, it’s the same if I try to cast a movie from Plex on my Synology NAS to Chromecast /it’s used with a non-smart TV/, I just got a black screen. If I turn the rule off everything works.
I tried the live log on the admin page but it doesn’t seem very live to me, I tried to use Packet capture where I could find some traffic going to the TV but there where no blocks just consumed packets.

What could be the problem here? Is there a way to dig more deeply in the logs? I tried tail on some logs on the advanced shell but found only static entries.

Thanks in advance



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    Hmm, HTTP proxy isn't even enabled. I'm trying to understand the logic here, how can a traffic be allowed and denied by one simple drop rule? 

  • 0 in reply to C F

    Hi,

    if you aren't using the proxy then you are using SSL/TLS inspection.

     

    Please  post a copy gf your rule, not what you think is says, but a screenshot and of where it sits in your rule list.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to C F

    Hi

    thank you for those details. Where does the group sit in your firewall rule listing?

    There is nothing obviously wrong that I can see, so that points to a problem with other rules/configuration confusing the XG processing.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    If i understand your Problem, your concerns are, Log viewer shows traffic, which should be not allowed by Rule 7, but shows Rule 7 as "Allowed" anyways.

    That is a tricky issue right now in the Log Viewer (database) itself.

    As XG has two different mechanism to allow/deny traffic, you can allow traffic going "Through" and going "to" XG. 

    One is Firewall, you can deny and allow traffic via Firewall rule going through XG (LAN-WAN).

    The Other is Device Access, you can allow Traffic going to XG (LAN to LAN Interface). 

     

    As XG is aware of the Sessions, most likely a session could be going to XG, but build up another session. 

    For example: Transparent Web Filtering is a Proxy. Hence you are "actually" communicate with XG LAN Interface, as XG will use a Proxy on LAN Port. 

    The Connection will be: Client - WAN, but actually you have two different sessions: Client to LAN Interface (Port 443). WAN Interface to Server (Port 443). 

     

    Therefore we are now in the tricky spot. As you deny the Traffic from Client to Server (LAN to Server), but allow LAN to Proxy Interface. 

    This transparent Proxy will actually perform a redirect of the Port from 443 to 3128 (internally). 

    So we are sitting there and do not know, what to do. As the session is actually allowed (TCP) by the Proxy (Device Access) but on the other site not allowed for the actual session.

    So we are allowing the Client to communicate to the proxy, as you allowed this in the Device Access page, but the Proxy will deny the request anyway (as Firewall Rule).

    Hence: TCP is allowed, Application based is deny. 

     

    Hope this makes sense? 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    It's on the top of incoming rules. I tried to disable all unrelated rules too but no luck.

  • 0 in reply to LuCar Toni

    Thanks for the detailed explanation, this makes sense.

    My main concern is not the log itself,  it’s that the way I’m trying to control my devices’s internet access like I used to do on UTM isn’t working for some reason. I thought that maybe this strange behavior I saw in the logs gives an explanation why Youtube videos are stuck at the loading screen on my TV most of the time, but not always.

    I don’t have proxy enabled, basically all the advanced features are turned off now in this rule.  

  • 0 in reply to C F

    Hi,

    What services have you allowed in your home LAN zone?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML