Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 7921 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block destination host access from source host in LAN/one subnet

Norbert Schmidt

Hi,

WARNING: I am absolutely new to firewall :)

I use IP Host to cluster my LAN devices belonging to my single subnet 10.x.y.z. These IP Host (IP lists and ranges)  I want to use to block cross access. F.e. DHCP (guest devices 10.x.y.100 - 10.x.y.110) should not access any of my SERVER.

 

I created a firewall rule with the following content:

Action REJECT or DROP

Source Zone LAN
Source Network DHCP (Host IP Range)

Destination Zone LAN
Destination Network SERVER (Host IP List)
Services ANY

but ... I can still access from a DHCP host any SERVER host.

Is it possible to achieve, what I am aiming for with only IP Host or do I have to go the ZONE / VLAN route?

Cheers

 

 



This thread was automatically locked due to age.
  • +1

    Norbert,

    if clients and servers are on the same subnet, traffic will never hit the Firewall so you cannot block/allow traffic.

    In oder to filter traffic by layer 3 and 4, you have to move your servers or clients to another subnet.

    Regards

  • +1

    If your servers and the DHCP addresses are on the same subnet, traffic in between them isn't routed by the XG....so you can't block it on the XG

  • 0 in reply to sixteen again

    Thanks guys!

    I spent already some time (the night) and just wanted to get someone's confirmation or direction. With a little walk in the sun today, though, my brain restarted and your answer seems obvious. If I shut down XG I can nevertheless work with my hosts in my LAN, since no routing of XG is needed. So why should it then pass XG and its firewall rules at all. I could have known this already :)

    I'll investigate for another solution. A new puzzle, another option to learn.

    Cheers

  • 0 in reply to Norbert Schmidt

    Another day :)

     

    I followed your recommendations and I am surprised, how simple this works. What I did:

    1) Assigned a third interface to the Sophos VM in ESXi and provided it with a static 10.10.1.1 ipv4

    2) Added a zone which is assigned to this new Port3

    3) Changed the static IPs of some servers to 10.10.1.x

    4) Changed corresponding entries in my XG DNS

    5) created two firewall rules to allow traffic from LAN to SERVER and vice versa

    6) et violá ... it works nicely

     

    I thought, it would be more tricky, but I still might miss something here.

    I left subnet mask for both, LAN and SERVER, to 255.255.255.0. And all devices are still connected to the very same single switch. No VLAN applied at all. Is this setup sufficient, from a security perspective? Or should I consider using two dedicated hardware switches for LAN and SERVER?

  • 0 in reply to Norbert Schmidt

    Great!

    Potentially clients or servers can change their ip and belong to the other network.

    You can create a vlan 2 by assigning each port to proper vlan with only one XG interface. In your case you beed 2 vlans, 1 for clients and one for servers. Every managed switch supports layer 2 vlan. The other option is vlan layer 3 where with a single XG nic you can manage both networks.

    Regards

  • 0 in reply to lferrara

    Very good point, lferrara.

    I have to replace my switch anyway. And I'll go for two switches. Only the CLIENT/LAN zone would then be available to everybody connecting to LAN via wall plug. WLAN is only granted to family devices. Guests will gain access via a separate AP, connected directly to my AVM router, hence this AP is NOT in my internel network anyway.

    With the SERVER zone, being physically separated, plus MAC addresses as criteria to allow access to SERVER zone from LAN, I should be more or less on the save side, even if someone identifies with trial an error any of my ADMIN devices' IP address. It is still not 100% save, I know, but save enough for my use case.

    Cheers

     

    Edit: And thanks lferrara !