Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 20947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow access to network device from internal LAN and guest network

m@rek

I have a network device on our main internal LAN with static IP address; that device is connected to projector and allows users to show their screen wirelessly. I need to allow guest users to have access to that device as well; guest users are conencted to our secondary guest network which is completely separated from the main internal LAN.

What is the easiest way to allow guest users access that one device only from our internal network? Thank you, Mark



This thread was automatically locked due to age.
Parents
  • 0

    Depends what ports/protocols it uses for communication and whether or not that traffic is running through the web proxy.  If the proxy isn't part of the communication process, it should be as easy as a firewall rule to allow the traffic.

  • 0 in reply to Scott_Klassen
    Scott,
    Currently we are using this device on our main internal LAN with no issues and I just want users that are connected to our "guest" network to be able to connect to it as well without putting any holes on our network.

    Would it make more practical sense to put that device on "guest" vlan and create a firewall rule to allow one way traffic from our internal LAN to that device? What about DMZ? I'm looking for recommendation/solution/best practice. Thanks in advance. Mark
  • 0 in reply to m@rek
    Like Scott says, Mark, you just need a firewall rule like 'Guest (Network) -> {necessary port(s)} -> {device} : Allow'. Typically, a DMZ is more for devices that are exposed to the Internet or in a larger organization where different subnets have different access rights in the DMZ.

    Cheers - Bob
  • 0 in reply to BAlfson
    Guys, thanks for all your help. I guess I was over engineering this request and simple firewall rule took care of it.

    Here's what I have:
    rule#1 Guest (Network) -> {8 ports required by this device} -> {airmedia} : Allow
    rule#2 Guest (Network) -> {any} -> {corporate network} : Drop

    Thank again :-)
Reply
  • 0 in reply to BAlfson
    Guys, thanks for all your help. I guess I was over engineering this request and simple firewall rule took care of it.

    Here's what I have:
    rule#1 Guest (Network) -> {8 ports required by this device} -> {airmedia} : Allow
    rule#2 Guest (Network) -> {any} -> {corporate network} : Drop

    Thank again :-)
Children
  • 0 in reply to m@rek
    Mark, the second rule does nothing other than drop traffic "quietly" that would otherwise appear in the firewall log as dropped by default - any traffic not explicitly allowed is dropped by default.

    However, the automatic firewall rules created by WebAdmin for Web Filtering come before all manually-created rules. If you have included the Guest network in 'Allowed Networks' there, guests have access to your internal network.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests." If you would like me to send you this document, send me an email requesting it to my member name here @ the domain listed in my signature block - please include your member name here in your email as this offer is only for members. I also maintain a version auf Deutsch translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob
  • 0 in reply to BAlfson

    Bob,

    The 'guest' and 'corporate' networks are both included in the "Allowed Networks" under web filtering and before I did create that rule to allow guest users to have access to that one device on our corporate network, users coming from guest network were unable to access anything on our internal network. That was the reason why I put that new rule to allow guest users access airmedia device which is on our corporate network.

    I'm thinking that the second firewall rule ["guestNetwork" -> any -> "internalNetwork" ->drop] was/is blocking guest from accessing internal network.

  • 0 in reply to m@rek

    Rules in numbered lists are considered sequentially.  I the automatic rule for Web Filtering allows a packet, no rule after it will block the same packet.  See #1 in Rulz.

    Cheers - Bob