Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 4842 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL site-to-site connection: block all but one specific client

GerdMehsel

Hello,

 

I have a SSL site-to-site connection (Homeoffice, dd-wrt openVPN Client <--> Headquarter, UTM9) that works fine. The homeoffice clients can access and work with all necessary resources.

My problem is that every client in the HQ can access the clients in homeoffice and there are private clients/devices which should not be accessible. Only one client in HQ should be able to establish a connection from HQ to homeoffice.

How can I achieve this? Please, be verbose if possible, I'm very new to UTM :-)

 

Best regards,

Gerd



This thread was automatically locked due to age.
  • 0

    Hi, Gerd, and welcome to the UTM Community!

    The problem is that you now have a tunnel with:

    [Home Network] <---> [Office Network]

    The most elegant solution is to change the definition in both devices to:

    [Some Home IPs] <---> [Office Network]

    Is that possible?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, and thank you for your answer!

    At the [Home Network] there is no Sophos UTM, there is a dd-wrt router with a little complicated/scripted setup to establish the VPN connection via a standard openvpnclient and I would like to not touch this setup.

    But I think there should be an easier solution on the  [Office Network] side only, because only one office-computer (mine) should be able to connect to [Home Network]. All other computers should not have access at all.

    Some firewall rules like:

    - traffic from [Office Network] to [Home Network] not allowed
    - but if connection _initiated_ from [Home Network] , then allow traffic back from [Office Network] to [Home Network]
    - and if connection initiated from IP 10.0.0.123 (my office-computer), then traffic from [Office Network] to [Home Network] allowed, also

    Any ideas?

    Best regards,
    Gerd

  • +1 in reply to GerdMehsel

    That's a little different from what I first understood, Gerd.  Let me say that in my own words to be sure I understand now:

    • Traffic to any office IP from the home is allowed.
    • Only traffic from your office IP (.123) is allowed to any IP in your home.

    Is that it?  If so, then uncheck 'Automatic firewall rules' and create the following firewall rules:

    • {Home Network} -> Any -> {Office Network} : Allow
    • {10.0.0.123} -> Any -> {Home Network} : Allow

    All other traffic will be dropped by default and all response traffic will be allowed by conntrack because the request was allowed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to GerdMehsel

    Hi,

    ok now a little problem occurred:
    With the rules from above the SSL-VPN connection is still active/alive but the {Home Network} clients are no longer allowed to connect to {Office Network} resources, I can see the drop of ICMPs in UTMs firewall log.

    If I do the following:

    • {Home Network} -> Any -> {Office Network} : Allow
    • AND additionally: {SSL-VPN Network} -> Any -> {Office Network} : Allow
    • {10.0.0.123} -> Any -> {Home Network} : Allow

    the connection is working again, but:

    • {10.0.0.123} can ping from {Office Network} to {Home Network}
    • {10.0.0.123} can establish a remotedesktop connection from {Office Network} to {Home Network}
    • {10.0.0.XXX} cannot ping to {Home Network} clients but can establish a remotedesktop connection to {Home Network} clients?

    What's still wrong?

    Best regards,
    Gerd

  • 0 in reply to GerdMehsel

    Pinging is regulated on the 'ICMP' tab of 'Firewall', Gerd.  The "Any" Service only includes TCP and UDP, not ICMP or other IP protocols.  If you want to allow pinging selectively, you must disable it on the 'ICMP' tab and create firewall rules using the "Ping" Service.  This is also required for inbound VPN connections to be able to ping your home devices.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML