UTM Routing between Interfaces

The setup is a layer 2 switch with 2 vlans, Management (172.20.20.0/24) and Data (192.168.100.0/24). The vlans are separate port groups. The switch has a physical connection for each vlan connected to 2 interfaces on the UTM. The UTM is the default gateway for each vlan and is handling all routing, DHCP & DNS. It appears by default the UTM is routing between the two interfaces. I am able to access the Management network while connected to the Data network. I want to keep the Management network separate and only accessible by physically plugging into one of the dedicated switch ports. I have tried firewall rules but that did not work. The only way I was able to prevent accessing the Management network from the Data network was to setup a DNAT blackhole rule. However, I am still able to access the UTM WebAdmin Management interface from the Data network. Does the UTM automatically route between it's interfaces? Is a NAT rule the only way to prevent it? Is there anyway to prevent accessing the WebAdmin Management interface from the Data network?

Parents
  • Firewall rules won't prevent the Web Proxy from passing traffic.  If a DNAT blackhole works, then you're using Web Filtering in Transparent mode.

    You could add the Management VLAN to the 'Transparent Mode Skiplist' and uncheck 'Allow HTTP/S traffic for listed hosts/nets.'

    A better approach would be a separate Web Filtering Profile for the Management VLAN.  Then, block the website(s) in the Management VLAN in the Profile for the Data VLAN.  This second approach also blocks Data->Management traffic if the user addresses the Proxy in Standard mode.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Firewall rules won't prevent the Web Proxy from passing traffic.  If a DNAT blackhole works, then you're using Web Filtering in Transparent mode.

    You could add the Management VLAN to the 'Transparent Mode Skiplist' and uncheck 'Allow HTTP/S traffic for listed hosts/nets.'

    A better approach would be a separate Web Filtering Profile for the Management VLAN.  Then, block the website(s) in the Management VLAN in the Profile for the Data VLAN.  This second approach also blocks Data->Management traffic if the user addresses the Proxy in Standard mode.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children