Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 16288 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Isolation Trouble

Jamie Denton

 Hi, 

 

I've got a small home network consisting of UTM9 running on a CI323 connected to an Archer C7 router running OpenWRT, and I'm trying to add a guest Wifi, but I'm struggling with isolating the VLANs.  Broadly, the setup is this:

UTM:

  • Eth1: WAN
  • Eth0: VLAN 2 (Trusted) - DHCP: X.X.21.XX 
  •           VLAN 6 (Guest) - DHCP: X.X.22.XX

Router:

  • VLAN 2 (Trusted): 2x SSID and all physical network ports
  • VLAN 6 (Guest): 1x SSID
  • VLANs are trunked via the WAN port with firewall rules isolating them from each other

At the moment the VLANs are working, I get to the right DHCP server (and therefore end up in the right subnet) depending on the connection I use to get to the router, and both VLANs can get to the external internet.  The problem is that I can reach web servers between the VLANs, both by ping and HTTP.  So far I'm pretty sure the UTM is the culprit, as when connected to the trusted VLAN a traceroute shows no hops via the UTM, whereas when connected to the guest VLAN the traceroute shows an additional hop via the guest VLAN IP of the UTM.  

EDIT: Also, when I turn the UTM off, I can't get between VLANs, and SSH doesn't cross even when the UTM is on, which makes me even more sure it's the UTM.

So far, based on searches of the forum, I have:

  • Disabled "Allow ICMP through gateway", "Gateway forwards pings" and "Gateway forwards traceroute"
  • Added both VLANs to the destination section of the Transparent Mode Skiplist and unchecked "Allow HTTP/S traffic for listed hosts/nets"
  • Made sure I haven't got any firewall rules that could be letting things through, including replacing "Any" with "Internet IPV4" where relevant

At this point I'm not sure how to proceed, so any suggestions would be greatly appreciated!

 

Thanks,

 

Jamie



This thread was automatically locked due to age.
  • 0

    Hi Jamie,

    I had the same problem (BTW with nearly the same design, UTM, Archer C7 with OpenWRT).

    HTTP: I guess you have the transparent proxy enabled. The proxy also forwards the HTTP(S) traffic between your VLANs of course. Add the networks to the  exception list under WebProtection -> Filter Option (?) -> Misc. That should solve the problem.

    Ping: You were on the right way :) As far as I remember you've to disable them all together: "Allow ICMP on Gateway" (will let response the gateway to pings to all interfaces), "Allow ICMP through Gateway", "Gateway is ping visible" and "Gateway forwards pings". If it not works, play around with this settings. Disable them one by one until you get what you want.

     

    Jas

  • 0 in reply to Jas Man

    Hi Jas,

     

    Thanks for the reply, I've just tried fully unchecking the ICMP options:

    And I think this is what you mean by the exception for filtering?:

    Unfortunately they don't seem to have fixed the issue, is there anywhere else I should be looking?

     

    Thanks,

     

    Jamie

  • 0 in reply to Jamie Denton

    Hey,

    yes, that's what I meant. Normally this should solve your issue when your're using the transparent proxy mode.

    Have you configured a firewall rule which allows all traffic from one VLAN to another? 

    Jas

  • 0 in reply to Jas Man

    Hi Jas,

     

    I've  reviewed the firewall rules and there is nothing obvious that would let firewall rules from one side to the other, and as I said in the original message I've replaced all instances of "Any" with "Internet IPv4".

    Interestingly, as an experiment, I removed all references to "Internal (Guest) (Network)" from the firewall rules (including those used  for normal browsing) and could still browse freely, the only thing that stopped the browsing or VLAN traversing was shutting down the Guest VLAN interface, which is not exactly ideal! [:^)]

     

    Thanks,

     

    Jamie

  • +1 in reply to Jamie Denton

    Either there's something I don't think about, or there's a configuration failure. Also strange that you can ping the devices even everything is disabled.

    Could you please post the interface configuration from the support menu.

    What happens when you disable the web proxy? Is it still possible to access the websites of the other VLANs?

    Have you also checked the automatically added rules in the firewall?

    Has the C7 IP for both VLANs so that it could route between them?

  • 0

    Hi Jamie,

    Reading, "The problem is that I can reach web servers between the VLANs, both by ping and HTTP.  So far I'm pretty sure the UTM is the culprit, as when connected to the trusted VLAN a traceroute shows no hops via the UTM", I am confused, you can reach the webserver is the problem? If tracert doesn't show UTM as a hop then I think it is a local routing issue or may be I misunderstood your explanation. 

    Can you please show us a network diagram and reiterate the connection flow. Check #1 in the Rulz by Bob and show us a relative log line which tells the packet is dropped via UTM. Also, check in the packet filter log file for more details regarding the drop, if any.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin,

     

    Network diagram:

    Trusted VLAN is X.X.21.XX

    Guest VLAN is X.X.22.XX

    The UTM has an IP address of X.X.X.51 in each interface.

    The problem is that a device in the Guest VLAN can access the  Trusted VLAN.  in the example I gave, I can ping and reach the PiAware server (a Rapberry Pi based ADSB station connected via WiFi) from my work laptop in the Guest VLan.

    Tracert from the Trusted VLAN shows:

    Tracert from the Guest VLAN shows:

    Hope this makes the problem a bit clearer.  It seems that there is definitely a route via the UTM, but it seems confined  to HTTP and ICMP,  as trying to SSH into PiAware doesn't work from the Guest VLAN, all of which points to something to do with the Web Filtering, based on wider reading, but I'm a bit stumped.

     

    Given it's a problem of things not being dropped, not sure what log would be helpful?

     

    Thanks,

     

    Jamie

  • 0 in reply to Jas Man

    Interfaces Table:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:01:2e:70:b0:58 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc hfsc state UP group default qlen 1000
    link/ether 00:01:2e:70:b0:59 brd ff:ff:ff:ff:ff:ff
    inet [WAN IP]/21 brd [WAN BROADCAST] scope global eth1
       valid_lft forever preferred_lft forever
4: eth0.6@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 00:01:2e:70:b0:58 brd ff:ff:ff:ff:ff:ff
    inet [XX.XX].22.51/24 brd [xx.xx].22.255 scope global eth0.6
       valid_lft forever preferred_lft forever
5: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 00:01:2e:70:b0:58 brd ff:ff:ff:ff:ff:ff
    inet [XX.XX].21.51/24 brd [xx.xx].21.255 scope global eth0.2
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet [XX.XX].22.1/24 brd [XX.XX].22.255 scope global tun0
       valid_lft forever preferred_lft forever
7: ifb0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc tbf state UNKNOWN group default qlen 32
    link/ether 76:bf:29:93:2e:c5 brd ff:ff:ff:ff:ff:ff

    In answer to your other points:

    • Disabling the web proxy doesn't appear to change anything
    • The only auto rule in the firewall is to DNAT queries from my own domain to the config page of the UTM, even then it's only referring to the Trusted VLAN
    • The C7 only has an IP address in the Trusted VLAN, not in the Guest VLAN

    Thanks again,

     

    Jamie

  • +1 in reply to Jamie Denton

    Ok, I think I've fixed it!    On reading the interface config above, I noticed that the XX.XX.22.XX subnet appeared in both eth0.6 and tun0, a quick Google pointed out that tun0 was associated with the SSL VPN, and sure enough, my SSL VPN  pool was on the XX.XX.22.XX subnet.

     

    I'd overlooked the possibility of my Guest VLAN IP range conflicting with the ranges for my VPN profiles when I rejigged the subnets for VLANs, so it was bypassing the exceptions I placed in the for transparent mode skip list because the Web Filter had both Guest VLAN and VPN Pools as allowed interfaces, presumably it was being forwarded to what the UTM thought was the VPN pool.

     

    Either way, it appears to work now, I'm just glad it was a simple fix!

     

    Jas, Sachin, thanks for your help 

     

    Cheers,

     

    Jamie

Unfiltered HTML