Guest network access. Packetfilter does not block as expected

Question

Hello everyone, 
 I recently discovered a problem with my Guest-WAN configuration I have to separate guest interfaces (VLANs on a separate phy. NIC of the UTM). IPs are separate from corp. network 
 I used BAlfson 's guide for configuring the rest of the system to ensure separation 
 The problem I discovered is the following: 
 From the guest network I can access ALL internal websites 
 Other services are not possible 
 Our HTTP proxy runs in transparent mode. Guest network is set to skip source mode. Allow HTTP/S for skipped networks is enabled! (Due to requirements for some internal networks) 
 Packet filter rules are as follows:

The reachable internal websites IPs are included in the obfuscated green network group of rule #1 
 Any ideas why this happens? 
 Again clean separation of guest from anything else proves to be more complex than expected :( 
 
 Best regards for your help

BAlfson · Accepted Answer

Ingo, I think I'm following you - I would do this differently. 
 
 Remove the Guest network from 'Skip Transparent Mode Source ...' 
 Put your LANs in 'Skip Transparent Mode Destination ...' 
 De-select 'Allow HTTP/S traffic for listed hosts/nets' 
 Make explicit firewall rules that allow traffic between, for example, "Internal (Network)" and "DMZ (Network)" 
 
 Since there's no rule allowing "Guest (Network)" to go anywhere but the Internet, you should see that traffic to your LANs default dropped in the Firewall Live Log. 
 Cheers - Bob

Guest network access. Packetfilter does not block as expected

Submitted a Tech Support Case lately from the Support Portal?