WebProtection --> Kein Zugriff der VLANs untereinander!

'nAbend mauti,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

First, VLAN 1 is reserved in the UTM for Wireless Security, so that may be part of the problem.

If you are running in Transparent mode only, then simply adding all of the networks to the Destination SkipList and de-selecting 'Allow HTTP/S traffic for listed hosts/nets' on the 'Misc' tab of 'Filtering Options' should prevent access between networks.

If you used ping to test if eveything can reach each other, de-select 'Gateway forwards pings' on the 'ICMP' tab and you should see different behavior.

Alles jetzt in Ordnung?

MfG - Bob (Bitte auf Deutsch weiterhin.)

hi bob,

the problem we have, there is no "transparent mode only"

i learn, that transparent mode is an add-on to standard mode ... and if i activate transparent mode, standard mode is available too.

and i can not block "all private lans (10.0.0.0/8)" with standard mode...

so my guest WLAN can access internal web resources, unless i block the exact URL.  

Hallo Dirk,

If you use Standard mode, you must skip the proxy in the browser settings.  You can do this for everything with a Proxy Auto Configuration (PAC) file.  If you skip all 10.x.y.z networks in the PAC file and you do not create a firewall rule allowing inter-subnet traffic, there will be no access.  Here's a basic example:

function FindProxyForURL(url, host)
{
   //The following URLs will not be proxied
       if (shExpMatch(url,"passthrough.fw-notify.net*/*"))
         {return "DIRECT";}
   //Don't Proxy local domains
   if (dnsDomainIs(host, ".ourdomain.local"))
         {return "DIRECT";}
   //Don't proxy hosts on LAN(s)
       if (isPlainHostName(host) ||
           isInNet(dnsResolve(host), "172.17.1.0", "255.255.255.0"))
         {return "DIRECT";}

   // Set the proxy server(s) for LAN(s)
   if (isInNet(myIpAddress(), "172.17.1.0", "255.255.255.0"))
         {return "PROXY 172.17.1.1:8080" ; DIRECT"; }
 
   // For all other networks, do not proxy
   return "DIRECT" ;
}

The "trick" to having both Transparent and Standard available for a single subnet is to create a Web Filtering Profile in Standard mode and then have the Default profile in Transparent.  Traffic arriving on port 80 will skip the Standard mode Profile, but will be captured by the Transparent mode Default profile.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hallo Dirk,

If you use Standard mode, you must skip the proxy in the browser settings.  You can do this for everything with a Proxy Auto Configuration (PAC) file.  If you skip all 10.x.y.z networks in the PAC file and you do not create a firewall rule allowing inter-subnet traffic, there will be no access.  Here's a basic example:

function FindProxyForURL(url, host)
{
   //The following URLs will not be proxied
       if (shExpMatch(url,"passthrough.fw-notify.net*/*"))
         {return "DIRECT";}
   //Don't Proxy local domains
   if (dnsDomainIs(host, ".ourdomain.local"))
         {return "DIRECT";}
   //Don't proxy hosts on LAN(s)
       if (isPlainHostName(host) ||
           isInNet(dnsResolve(host), "172.17.1.0", "255.255.255.0"))
         {return "DIRECT";}

   // Set the proxy server(s) for LAN(s)
   if (isInNet(myIpAddress(), "172.17.1.0", "255.255.255.0"))
         {return "PROXY 172.17.1.1:8080" ; DIRECT"; }
 
   // For all other networks, do not proxy
   return "DIRECT" ;
}

The "trick" to having both Transparent and Standard available for a single subnet is to create a Web Filtering Profile in Standard mode and then have the Default profile in Transparent.  Traffic arriving on port 80 will skip the Standard mode Profile, but will be captured by the Transparent mode Default profile.

MfG - Bob (Bitte auf Deutsch weiterhin.)