Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 3653 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Creating a Firewall Rule VLAN to WAN

Badrobot

Hi, 

 

I am used to the XG series and I think I am confusing myself lol, hence this post.

 

I have created multiple VLANS on 2 interfaces, i.e. VLAN 2, 4, 6, on eth0 and VLAN 8, 10 & 12 on eth5.  I also created masquerading rules for all VLANS to the uplink interfaces.

 

Now I want to create firewall rules and groups to make everything look right, I started to create the basic ones first.  i.e. VLAN 2 to WAN on any service.  However I am not sure how to add the WAN aspect.  Typically you could add any in the destination however if I do this won't it allow VLAN 2 to talk to any of the other VLANS?  I then thought to add the WAN interface but then I am not sure if I want to add (address) (broadcast) or (network).  I would think that address is the one to add but then I started hesitating and thought I would drop a line to see if this is what I want.

 

On the XG these would simply be zones but in the UTM I am not a 100% confident on this.



This thread was automatically locked due to age.
  • 0

    Typically, the WAN would be the internet so destination would be Internet IPv4 or Internet IPv6

    Watch you don't get caught out by the proxies!!

  • 0

    There are special predefined network objects called "Internet IPv4" and "Internet IPv6" (or simply "Internet" if no IPv6 active).
    Those are meant exactly for what you want.

    Take care that you don't allow traffic via Webfilter, etc., because Proxies come before manual firewall rules.

    Also read BAlfsons' "Rulz" pinned to the "General Discussion" forum, they are a "must read" when dealing with the Sophos UTM.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0

    Hi,

    if you take "any" for destination, yes VLAN 2 can see all other VLANs.

    You have to take "WAN Network", because you want to see the whole network and not just a specific address (WAN Address)

  • 0 in reply to TomE

    Hallo Tom,

    You're right to warn him about using the "Any" object, but the "External (Network)" object only includes the subnet defined on the External interface.  See Louis' post above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA