This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

vlan firewalling not working

Sigh my browser died and I have to write this again. It was a lot more creative before, I can tell you that.

 

So I have a datacenter with a Sophos UTM 9.506-2 cluster as my gateway. I've created a new VLAN210 which is not supposed to talk to VLAN31 for example. To accomplish this I've created a firewall rule. See below for details.

ping from a VLAN31 machine to a VLAN210 machine is still working though. traceroute shows the VLAN31 gateway as the first hop and the next is the target machine. Our firewall environment is a jungle made of wildly thrown rules with much of a concept dealing with spontanous situations. However the VLAN210 is completly new and I couldn't find firewall rules that have source and destination set to ANY that would overrule something. I've tried to set this firewall rule to the top and to the bottom, no effect though.

 

I don't expect you to magically solve this problem for me. I'd rather solve it myself with some hints from you to look at this from a fresh perspective. Apparently I'm out of options and it kills me that this is not working as expected since it's not rocket science. I'm in general not new to Sophos which makes this much more frustrating. If you have any questions or need more information just let me know.

 

Kind Regards and my deepest apologies for wasting someones time



This thread was automatically locked due to age.
Parents
  • Hi Dennis,

     

    i think "Ping" is not considered with "Any". What is your ICMP setting in the top row because if it is saying allow icmp there it overwrites the Firewall setting if im not mistaken. There is also an option with Tracerout. So could it be that only Pings go through and the actualy firewall rule is working correctly?

    I tend to use Telnet to a Port like 80 more often to test the general connectivity instead of ping.

     

    Regards

     

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Hi Jason,

     

    Thank you. I haven't found any ICMP settings that would overrule firewall rules but you were totally right. I've put a screenshot below with the ICMP settings, as far as I understand them they don't allow this but I'm ready to let that be as it is.

     

    Now I have to figure out how to give that VLAN internet access. Having that firewall rule allowing traffic to IPv4 Internet does not help (yes on the screenshot it's disabled, I enabled it). None of the other VLANs have a rule like this however and they work fine. Beeing a wise man maybe you have some wild pointers for me there as well, I appreciate them for sure.

     

    Sometimes UTM is really frustrating for me

  • Hi,

     

    Well, since you have private IP Addresses masquerading migh be required for this to be achieved.

    Yeah sometimes it is quite frustrating, but also interesting to work with. (Dont point on that the next time i have a big Problem hehe)

     

    Regards

     

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Jason,

     

    Sometime you just feel so stupid. I've found this 10 minutes before I saw your reply and it makes sense. It just does.

     

    Maybe it's just one of those weeks where you can't think straight. Guess I'm ready for vacation.

     

    Thank you a lot for taking a look at this and giving me a new, simple and fresh perspective.

     

    Wish you all the best

  • Hi,

     

    No Problem. Have a nice day.

     

    Regards

     

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Jason got you there, but you still might want to study #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data