Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 7097 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest network access. Packetfilter does not block as expected

IngoPohlschneider

Hello everyone,

I recently discovered a problem with my Guest-WAN configuration
I have to separate guest interfaces (VLANs on a separate phy. NIC of the UTM). IPs are separate from corp. network

I used 's guide for configuring the rest of the system to ensure separation

The problem I discovered is the following:

From the guest network I can access ALL internal websites

Other services are not possible

Our HTTP proxy runs in transparent mode. Guest network is set to skip source mode. Allow HTTP/S for skipped networks is enabled! (Due to requirements for some internal networks)

Packet filter rules are as follows:

 

The reachable internal websites IPs are included in the obfuscated green network group of rule #1

Any ideas why this happens?

Again clean separation of guest from anything else proves to be more complex than expected :(

 

Best regards for your help



This thread was automatically locked due to age.
Parents
  • 0

    i think you describe your problem:

    "Our HTTP proxy runs in transparent mode. Guest network is set to skip source mode. Allow HTTP/S for skipped networks is enabled! (Due to requirements for some internal networks)"

    just for testing disallow http/s traffic for skipped networks in the http proxy.

    can guest network now still reach internal websites?

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to zaphod

    Hello

    sorry for the late reply.

    I tested disabling HTTP/S access for skipped host/nets

     

    Same issue. Access to the internal sites is still possible

    Best regards

Reply Children
  • 0 in reply to IngoPohlschneider

    please test following:

    split your first firewall rule in 3 single rules.. one rule for one network.

    put the guest to internal drop first and select log traffic in this rule.

    open paket filter log and test again.. what do you see?

    EDIT:

    please also check if you have more than one webfilter profile which maybe matches your guestnetwork...

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • +1 in reply to IngoPohlschneider

    Ingo, I think I'm following you - I would do this differently.

    1. Remove the Guest network from 'Skip Transparent Mode Source ...'
    2. Put your LANs in 'Skip Transparent Mode Destination ...'
    3. De-select 'Allow HTTP/S traffic for listed hosts/nets'
    4. Make explicit firewall rules that allow traffic between, for example, "Internal (Network)" and "DMZ (Network)"

    Since there's no rule allowing "Guest (Network)" to go anywhere but the Internet, you should see that traffic to your LANs default dropped in the Firewall Live Log.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Balfson,

    thanks a lot. This solved the issue.

    Yet again this is an issue related to (me and maybe others having) lack of insight into the processing order and its implications.

    I always assumed the packet filter would match first and pass stuff.

     

    In my opinion Sophos should release an official flow-chart on this topic (and not only as part of the training-material for official certifications) to allow admins to see what is going on and therefore ease the process of debugging

    Best regards to BAlfson and Zaphod for your help :) Appreciated

  • 0 in reply to IngoPohlschneider

    Ingo, see #2 in Rulz.  I got the diagram from Astaro in the pre-Sophos days. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML