How to create a network object / host / rule which allows access to WAN but not LAN (RFC RFC 1918)

Question

Hi! 
 I am a proud owner of XGS 107 and pretty happy with it. I am running a homelab with a few vlans, really nothing special. But there is something, that is bothering me: I am also using Barracuda Firewalls where i work, and there i really like the option, to create a network object, which allows all the devices in a vlan access to internet, but not access to LAN (RFC 1918 Networks). 
 
 Here so you can imagine what i mean:

In a rule this translates: Allow to 0.0.0.0/0 but NOT 10.0.0.0/8, NOT 172.16.0.0/12 and NOT 192.168.0.0/16. 
 
 Is there any possibility to reach this in sophos? I really dont like to have so many fw rules, just to block / allow something. Thank you in advance for your help! If anybody has something similar i would be happy if you can share your own sophos settings with a picture!

dirkkotte · Answer

There are some options ... 
 Preferred/mostly used: Firewall-rule with "WAN-Zone - any" as destination 
 possible: Firewall-rule with allow access to any but exception to RFC1918 Networks (looks like the Barracuda rule ... but why ...)

rfcat_vk · Answer

I think there is flaw in the thinking, the only time that would work is if there is a smart switch configured to block interport routing between the users and the firewall otherwise the traffic will be routed via the switch to other devices on that network. 
 The XG firewall rule would similar to this source zone LAN, source network Portx destination zone WAN, destination network ANY. ANY service, allow and maybe logging. The XG does not normally pass traffic between interfaces unless you specifically allow with firewall rules. 
 Ian

How to create a network object / host / rule which allows access to WAN but not LAN (RFC RFC 1918)

Top Replies