This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN Isolation Trouble

 Hi, 

 

I've got a small home network consisting of UTM9 running on a CI323 connected to an Archer C7 router running OpenWRT, and I'm trying to add a guest Wifi, but I'm struggling with isolating the VLANs.  Broadly, the setup is this:

UTM:

  • Eth1: WAN
  • Eth0: VLAN 2 (Trusted) - DHCP: X.X.21.XX 
  •           VLAN 6 (Guest) - DHCP: X.X.22.XX

Router:

  • VLAN 2 (Trusted): 2x SSID and all physical network ports
  • VLAN 6 (Guest): 1x SSID
  • VLANs are trunked via the WAN port with firewall rules isolating them from each other

At the moment the VLANs are working, I get to the right DHCP server (and therefore end up in the right subnet) depending on the connection I use to get to the router, and both VLANs can get to the external internet.  The problem is that I can reach web servers between the VLANs, both by ping and HTTP.  So far I'm pretty sure the UTM is the culprit, as when connected to the trusted VLAN a traceroute shows no hops via the UTM, whereas when connected to the guest VLAN the traceroute shows an additional hop via the guest VLAN IP of the UTM.  

EDIT: Also, when I turn the UTM off, I can't get between VLANs, and SSH doesn't cross even when the UTM is on, which makes me even more sure it's the UTM.

So far, based on searches of the forum, I have:

  • Disabled "Allow ICMP through gateway", "Gateway forwards pings" and "Gateway forwards traceroute"
  • Added both VLANs to the destination section of the Transparent Mode Skiplist and unchecked "Allow HTTP/S traffic for listed hosts/nets"
  • Made sure I haven't got any firewall rules that could be letting things through, including replacing "Any" with "Internet IPV4" where relevant

At this point I'm not sure how to proceed, so any suggestions would be greatly appreciated!

 

Thanks,

 

Jamie



This thread was automatically locked due to age.
Parents
  • Hi Jamie,

    Reading, "The problem is that I can reach web servers between the VLANs, both by ping and HTTP.  So far I'm pretty sure the UTM is the culprit, as when connected to the trusted VLAN a traceroute shows no hops via the UTM", I am confused, you can reach the webserver is the problem? If tracert doesn't show UTM as a hop then I think it is a local routing issue or may be I misunderstood your explanation. 

    Can you please show us a network diagram and reiterate the connection flow. Check #1 in the Rulz by Bob and show us a relative log line which tells the packet is dropped via UTM. Also, check in the packet filter log file for more details regarding the drop, if any.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

     

    Network diagram:

    Trusted VLAN is X.X.21.XX

    Guest VLAN is X.X.22.XX

    The UTM has an IP address of X.X.X.51 in each interface.

    The problem is that a device in the Guest VLAN can access the  Trusted VLAN.  in the example I gave, I can ping and reach the PiAware server (a Rapberry Pi based ADSB station connected via WiFi) from my work laptop in the Guest VLan.

    Tracert from the Trusted VLAN shows:

    Tracert from the Guest VLAN shows:

    Hope this makes the problem a bit clearer.  It seems that there is definitely a route via the UTM, but it seems confined  to HTTP and ICMP,  as trying to SSH into PiAware doesn't work from the Guest VLAN, all of which points to something to do with the Web Filtering, based on wider reading, but I'm a bit stumped.

     

    Given it's a problem of things not being dropped, not sure what log would be helpful?

     

    Thanks,

     

    Jamie

Reply
  • Hi Sachin,

     

    Network diagram:

    Trusted VLAN is X.X.21.XX

    Guest VLAN is X.X.22.XX

    The UTM has an IP address of X.X.X.51 in each interface.

    The problem is that a device in the Guest VLAN can access the  Trusted VLAN.  in the example I gave, I can ping and reach the PiAware server (a Rapberry Pi based ADSB station connected via WiFi) from my work laptop in the Guest VLan.

    Tracert from the Trusted VLAN shows:

    Tracert from the Guest VLAN shows:

    Hope this makes the problem a bit clearer.  It seems that there is definitely a route via the UTM, but it seems confined  to HTTP and ICMP,  as trying to SSH into PiAware doesn't work from the Guest VLAN, all of which points to something to do with the Web Filtering, based on wider reading, but I'm a bit stumped.

     

    Given it's a problem of things not being dropped, not sure what log would be helpful?

     

    Thanks,

     

    Jamie

Children
No Data