Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 957 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restricting traffic between site to site vpn

JonMeacham

I have set up a vpn between us and a client, and have created an interface and subnet specifically for this, with our main office network being on a different interface and subnet (Local)

1 .Local net 192.168.0.x

2. Separate Network for devices to talk to client 192.168.30.x

3. client network via VPN 10.x.x.x

This is working ok, but have just realised i can access a http address of a machine on the clients network (3) from our Local(1) network, when I assumed it would be blocked as the vpn created auto rules are to allow any traffic between (2) and (3).

I have even created a drop all rule from (1) to (3) in firewall rules but is still accessible via http, but not ping?

bit concerned that I maybe opening up our main network to traffic from the client.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jon,

    Thank you for contacting the Sophos Community!

    If you selected to create an Automatic Firewall when you created the tunnel, this will take precedence over your manually created firewall rules.

    I would recommend you remove the Automatic Firewall rule, and set one for the traffic going there, and another for the traffic initiated from the other end with the service you want to allow, by default the Service is set to ANY.

    Regards,

  • 0 in reply to emmosophos

    The automatic rules are for the 192.168.30.0/24 network and not the 192.168.0.0/24, therefore i would expect not to have communication to 10.0.0.0 network , especally when denying in the firewall.

  • 0 in reply to JonMeacham

    Hello Jon,

    So the way you have it set as of now, will not allow the other side to communicate with other networks.

    I believe that the computers that are able to access the HTTP of the computers in the other end of the tunnel is because they are being proxied in which case the Firewall rule will not take place.

    To avoid  that you would need to do the following: https://support.sophos.com/support/s/article/KB-000037162?language=en_US

    I would also recommend you to take a look at point #2 of this Recommended Read made by Bob one of our greatest collaborators in the community.

    Regards,

  • 0 in reply to JonMeacham

    Hi Jon,

    As Emmanuel suggests, to better understand what's happening, see #2 in Rulz (last updated 2019-04-17).

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

Reply
  • 0 in reply to JonMeacham

    Hi Jon,

    As Emmanuel suggests, to better understand what's happening, see #2 in Rulz (last updated 2019-04-17).

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

Children
No Data