Restricting traffic between site to site vpn

Question

I have set up a vpn between us and a client, and have created an interface and subnet specifically for this, with our main office network being on a different interface and subnet (Local) 
 1 .Local net 192.168.0.x 
 2. Separate Network for devices to talk to client 192.168.30.x 
 3. client network via VPN 10.x.x.x 
 This is working ok, but have just realised i can access a http address of a machine on the clients network (3) from our Local(1) network, when I assumed it would be blocked as the vpn created auto rules are to allow any traffic between (2) and (3). 
 I have even created a drop all rule from (1) to (3) in firewall rules but is still accessible via http, but not ping? 
 bit concerned that I maybe opening up our main network to traffic from the client.

emmosophos · Answer

Hello Jon, 
 So the way you have it set as of now, will not allow the other side to communicate with other networks. 
 I believe that the computers that are able to access the HTTP of the computers in the other end of the tunnel is because they are being proxied in which case the Firewall rule will not take place. 
 To avoid that you would need to do the following: https://support.sophos.com/support/s/article/KB-000037162?language=en_US 
 I would also recommend you to take a look at point #2 of this Recommended Read made by Bob one of our greatest collaborators in the community. 
 Regards,

BAlfson · Answer

Hi Jon, 
 As Emmanuel suggests, to better understand what's happening, see #2 in Rulz (last updated 2019-04-17) . 
 You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013. 
 Cheers - Bob

Restricting traffic between site to site vpn

Top Replies