Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Understanding issue with firewall rules between LAN subnets

Hi all,

I think I am just misunderstanding how this works but maybe you can help me with clarifying. :-)

Components:
- Sophos XGS 126
- TP-Link Managed Switch

Configuration:
- Sophos connected to switch via LAG on fibre channel, IP: 10.51.1.30/27 (VLAN 1010)
- Multiple VLAN interfaces added on the LAG interface (all in zone "LAN")
- Switch has 10.51.1.26/27 in same VLAN
- Client is connected to switch in different VLAN (1130) which is routed via the firewall (Sophos should be gateway for all subnets)

Goal:
- Be able to control traffic between different VLANs (i.e. clients should not be allowed to access switches but printers in different subnet).

Issue:
As I understand, the Sophos has a DROP ALL rule which drops all traffic not explicitly allowed by other rules before it. So this means from my understanding that no traffic between VLANs (even on the same zone, LAN in this case) should work in the first place, right? 

What I experience: I have configured no firewall rules but I can ping the switch (10.51.1.26) and even access the web interface from my client (10.51.13.1). A tracert shows that the traffic definitively goes through the firewall. So it seems to me as if the DROP ALL rule does not work here...? I also tried creating new zones and moving the firewall interfaces to different zones (still LAN, but a newly created zone in it), but also no effort.

Question:
How can I accomplish the goal to control traffic between different LAN subnets? What are the best practices here?

Thanks in advance for your replies!

Best regards
Ben



This thread was automatically locked due to age.
  • You need a rule lan any to lan any all services.

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi rfcat_vk,

    what do you mean? An additional DROP ALL rule denying traffic for all zones?

  • No, an allow all rule between LAN zones or if you want to restrict then you would need to add the VLAN networks in both source and destination networks.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I am trying to accomplish the exact opposite - at the moment, everything seems to be allowed as accessing a device in a different VLAN works without any additional firewall rule that allows this connection.
    I want to block everything by default and only allow specific connections by adding firewall rules. At the moment, firewall rules make no sense as everything seems to be allowed although the default DROP ALL rule is in place.

  • you change to drop.

    Are you sure the firewall is passing the traffic and not the switch?

    Please post a copy of your interfaces in expanded mode.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,
    yes, the firewall is passed, as the traceroute shows that the traffic passes the gateway (Sophos VLAN interface for this subnet) and then reaches the switch.

    But my initial question is: should traffic between different VLANs on the same zone be blocked by default or not? All VLANs currently are in the LAN zone. If I am trying to reach the Internet (WAN) via a zone that is not explicitly allowed then the DROP works as designed.
    So I fear that the DROP only works from one zone to another (LAN to WAN) but not LAN to LAN.

  • It should work from LAN to LAN, mine do, but I only have LANs not VLANs.

    There was a fix in a recent release for VLANs, which version of XG are you running?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 18.5 MR1 (MR2 was released a few days ago but is not available for download yet).

    OK - so I use the two physical FC ports which are natively set to VLAN 1010, all other VLANs are tagged on this interface. I simply added all VLANs needed and assigned them to the LAN zone.