Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 3530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.7 SSL - SSL VPN allows Local Network Access when only Internet IPv4 is configured

thehihatchi

Hi Guys,

I'm running the latest UTM 9 (version 9.705-3). I have the following configuration:

LAN 1: 10.10.1.0/24

LAN 2: 10.10.2.0/24

SSL VPN Pool: 10.10.3.0/24

Everything works fine. I can log in with VPN users and they get allocated an IP address as expected from the SSL VPN Pool.

Now the issue comes in with the access rights: Under Remote Access -> SSL -> Profiles if i add ONLY "Internet IPV4" and none of the LANs  in the Local Networks section so as to only access internet through the VPN, i realized i could also access port 80 on the devices in LAN 1 and LAN 2 (e.g. printers, switches).

The automatic firewall rules are deactivated. So I tested whether i could access the internet - of course it doesnt work as expected because there is no firewall rule, but i can still access LAN1 and LAN2 devices on port 80.

I found this to be quite strange so I added a firewall rule at the top (Network Protection -> Firewall) to explicitly drop traffic from the SSL VPN pool going to Any location. This still doesnt drop traffic to LAN1 and LAN2. I tried dropping the specific traffic (instead of Any i used LAN1 and LAN2 specifically) - nothing works. I even went through the the whole process again and now instead of "Internet IP4" in the Local Networks section i used "Any" - the result is the same.

Internet Access works fine if i anable auto firewall rules or make my own,  and set up masquarading, dns etc. but still i can access the Local Networks.

Interestingly if i only include LAN 1 in the Local Networks section, i cannot access LAN 2 (and off course the internet is not routed through the UTM).

So my question: Might anyone else have experienced this? Have I stummbled across a bug? Or may I have some misconfiguration? I have searched through the forums and haven't found anything related to this.

Best Regards,

Eugene



This thread was automatically locked due to age.
Parents
  • 0

    Hi All,

    An Update incase anyone ever runs into the same issue:

    After hours of searching i found the culprit myself. ->> Web Filtering!!! It seems to be a more general issue.. It looks like LAN traffic on ports 80, 443 is only controlled by the Web proxy and not the Firewall. This is quite wierd because WAN Traffic is blocked by the firewall if there are no firewall rules explicitely allowing it. The workaround I implemented was a web filter profile for the SSL VPN Network with Regex rules blocking traffic to the LAN. This would however be very cumbersome to implement in an envrironment with several LANs having internet access and granular rules to control inter-network traffic.

    I would be interested in Sophos take on the issue. Is this intended to work this way or was it a programming oversight? ..Or do i have a misconfiguration somewhere?

    Regards

    Eugene

  • 0 in reply to thehihatchi

    Hello,

    this is by design. You just confused what is meant by "local networks" in that vpn settings, you shouldn't put the object "Internetv4" in there.

    Local means LOCAL. "Internetv4"is everything BUT local. If you want your VPN clients to access the internet through your WebProxy running on the Sophos, access to your local LANs is sufficient. So this is indeed a misconfiguration. Further on, if using the Webfilter-proxy, you should not allow any clients to go to the Internt directly. (circumventng the proxy)

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    HI  jprush,

    Thanks for your reply. I have tried adding ONLY a LAN network with access to internet and excluding Internet IPv4. This doesnt work. It results in a Split Tunnel. Only traffic to the selected LAN is allowed. Somehow there doesn't seem to be any difference between "Any" and "Internet IPv4". When i only include internet IPV4 or any then define  firewall rules etc and include the SSL pool in the webfilter, internet traffic is proxied.

  • 0 in reply to thehihatchi

    Hello,

    maybe you are missing the MASQ entry for the VPN-Pool towards the Internet-Interface?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to thehihatchi

    Hello,

    maybe you are missing the MASQ entry for the VPN-Pool towards the Internet-Interface?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to PhilippRusch

    I have masquerading  set up and can access the internet, through the Utm and web proxy when I have internetIpv4 added to the local networks.. If i don’t add internetipv4 or „Any“ i have a split tunnel. 
    My issue is only that if I do this I can also access LAN services on ports 80 and 443. 

    Just to be clear, you are saying that if I set up Only a LAN network in the local networks section I should also be able to connect to the internet? Wouldn’t that be in contradiction of the Sophos userguide? ..and this would create another „problem“ if I don’t want VPN users to access the internet through the UTM.

  • 0 in reply to thehihatchi

    Local Network means local network, please believe me.

    There is a misconfiguration in your setup that I will really help you to figure out.

    If you do not want the VPN Clients to access the internet, then just do NOT setup a firewall rule like I told before. It‘s that simple!

    What do you mean by contradiction to the userguide? Please cite that passus.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi Again,

    I have done a few more tests with your recommended configuration.

    Following scenario:

    1 LAN (LAN 1) in the SSL VPN  local networks section with with firewall rules set up masq. and ssl vpn network included in the webfilter.

    VPN Client - Device with IPv4 XX

    Result:

    Client with IPv4 XX connects to VPN and gets an internal ip from SSL VPN Pool. The client has access to LAN1 and internet access which is controlled by the firewall but does NOT go through Webfiltering (No entries in Webfilter Log). The internet address seen when surfing is still XX although there is additionally an IPV6 address which was not there before when not connected to the VPN.

    When I include "Internet IPV4" or "Any" in the Local Networks, the device surfs the internet with the UTM IPv4 address (External Address YY and NOT XX) and traffic goes through the webproxy. BUT the VPN client also can access LAN 2 services on port 80 and 443 which is not configured anywhere!

  • +1 in reply to PhilippRusch

    I found a 4 year old thread in the German Forum which is basically the issue but from a diifferent perstpective.. It seems like all port 80 and 443 traffic for networks configured to use the Webfilter is controlled by the Webfilter regardless of the Firewall config. Hence when i configure "Internet IPv4" or "Any" in the Local Networks section of SSL VPN and add SSL VPN pool to the webfilter, the VPN user gets access to all "Port 80 and 443" by default. The rest is controlled by the firewall. The VPN user can thus already access these port services in the Local Networks but requires Masq. and at least DNS allowed in the firewall to get to internet locations.

    Interesting but it seems the only way to have VPN internet proxied is by selecting "Internet IPV4" or "Any" in the local networks section, and then blocking the local networks (Ports 80 and 443) in the Webfilter for networks that should not be accessed.

    I have also tested this generally (Now regardless of VPN). I have LAN1 and LAN2 in the webfilter and my first firewall rule is to block ALL traffic from LAN1 to LAN2, i can still access ports 80 and 443 on LAN2 unless i block them explicitly in the webfilter. Maybe Sophos should add this information on the Webfilter page. It is not intuitive and i had to really search to discover this.

    Here's a link to the thread:

    https://community.sophos.com/utm-firewall/f/german-forum/94073/utm9-firewall-port-80-und-443-standard-erlaubt/341204

Unfiltered HTML