Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 6094 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rules to creat Client Isolation

Andrew Crawford

I have two zones LAN and LAN2.  LAN2 is for kids, separate zone to isolate their malware etc.  LAN2 -> WAN rules exist to force login via captive portal so that surf time quotas can be applied.  This works. 

Now I want intra-LAN2 traffic to be counted in the surf time so that peer-peer gaming can be restricted when surf time is expired.  I think I want to create equivalent of Client Isolation but have a rule that overrides this for known users.  These rules are created below the captive portal rules (which are LAN2 -> WAN rules)

1)  Source LAN2 zone, any service, any host  Dest LAN2 zone any service, any host  Match Users  No Advanced filters, No NAT :  ACCEPT

2)  Source LAN2 zone, any service, any host  Dest LAN2 zone any service, any host  Dont match users  :  DROP

I expect 2) to achieve Client Isolation and by putting 1) above it then peer-peer will work in LAN2 while the matched users still have quota.

However, if I disable 1) to test that clients are isolated by 2) then LAN2 clients can still ping each other.

What did I miss, am I going about this the right way?



This thread was automatically locked due to age.
  • 0

    Andrew,

    Can you share the zone configuration and the network interfaces created?

    Ping is controlled by device access under Administration.

    Anyway share the requested information and we will help you.

    Regards

  • 0 in reply to lferrara

    Luk, thanks!

    LAN2 is defined on Port 4 with a DHCP server also on Port 4.  Zone settings allow Client Authorisation and Captve Portal, DNS and Ping, Web Proxy, Wireless Protection, User Portal, Dynamic Routing.   DHCP for Port 4 is a different /24 to the other LAN zone which is the Sophos default LAN on Port 1.

    LAN2 has firewall rules to activate the Captive Portal and this works properly.  (LAN2->WAN ACCEPT for Known Users, followed by LAN2->WAN DROP to activate Portal)

    After the Captive Portal rules I then have the two rules described above: 

    1)  LAN2->LAN2 Any Networks/Any Services, Match Known Users ACCEPT  :  I intend for this to allow traffic between machines in the LAN2 Zone if the user is authenticated

    2)  LAN2->LAN2 Any Network/Any Service, Match Users NOT checked  DROP  :  I intend for this to prevent traffic between machines in LAN2 Zone, unless was already allowed by 1)

    If I disable rule 1):   ping still works between machines AND Windows network discovery and file sharing still works.  Rule 2) is not blocking communication.

    So, I don't know how to block communication between two machines in the same zone, in the same /24 subnet.

    Thanks for any advice.

  • 0 in reply to Andrew Crawford

    <Facepalm>

    The clients to LAN2 are on a switch that is pluggged into the LAN2 port.  All are on same /24.

    So they all communicate directly, via the switch.  UTM never sees their traffic.  My rules can never work for wired connections!

    <Facepalm>

  • 0 in reply to Andrew Crawford

    Why don't you create a VLAN for each peer group? If you are meticulous, you could create a VLAN for each device, specifying for each the desired quotas and allowed services.