Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to create a network object / host / rule which allows access to WAN but not LAN (RFC RFC 1918)

Hi!

I am a proud owner of XGS 107 and pretty happy with it. I am running a homelab with a few vlans, really nothing special. But there is something, that is bothering me: I am also using Barracuda Firewalls where i work, and there i really like the option, to create a network object, which allows all the devices in a vlan access to internet, but not access to LAN (RFC 1918 Networks).

Here so you can imagine what i mean:

Network Object

In a rule this translates: Allow to 0.0.0.0/0 but NOT 10.0.0.0/8, NOT 172.16.0.0/12 and NOT 192.168.0.0/16.

Is there any possibility to reach this in sophos? I really dont like to have so many fw rules, just to block / allow something. Thank you in advance for your help! If anybody has something similar i would be happy if you can share your own sophos settings with a picture!



This thread was automatically locked due to age.
Parents
  • There are some options ...

    Preferred/mostly used: Firewall-rule with "WAN-Zone - any" as destination

    possible: Firewall-rule with allow access to any but exception to RFC1918 Networks (looks like the Barracuda rule ... but why ...)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I think there is flaw in the thinking, the only time that would work is if there is a smart switch configured to block interport routing between the users and the firewall otherwise the traffic will be routed via the switch to other devices on that network.

    The XG firewall rule would similar to this source zone LAN, source network Portx destination zone WAN, destination network ANY. ANY service, allow and maybe logging. The XG does not normally pass traffic between interfaces unless you specifically allow with firewall rules.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • I think there is flaw in the thinking, the only time that would work is if there is a smart switch configured to block interport routing between the users and the firewall otherwise the traffic will be routed via the switch to other devices on that network.

    The XG firewall rule would similar to this source zone LAN, source network Portx destination zone WAN, destination network ANY. ANY service, allow and maybe logging. The XG does not normally pass traffic between interfaces unless you specifically allow with firewall rules.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data