How to block/restrict inter-VLAN routing?

Hi, first I've seen you here - a belated welcome to the UTM Community!

"Right now 10.0.10.2 can SSH to 10.0.11.2"

If the second IP is on the UTM, this means that you have enabled 'Shell Access' and that either "Any" or VLAN 10 is in 'Allowed Networks'.

WebAdmin automatically builds routes for all networks defined on UTM interfaces.  You regulate what traffic is allowed with firewall rules.

Cheers - Bob

Hi Bob

thank you for the reply!

the IPs 10.0.0.2 and 10.0.11.2 are not configured in the Sophos, but in Virtual Machines behind Hyper-V. All Sophos' IPs end in .1

that is:

Sophos <-->  Layer2 switch <-->  Hyper-V <--> VMs

regards

Hey Bee.

So that means you have a firewall rule that is allowing traffic from network 10.0.10.0/24 to network 10.0.11.0/24 (or vice-versa). The default for UTM is always block unless explicitly configured to allow. You could paste a screenshot of your firewall rules here for us to take a look if you are unable to find the one that's allowing this traffic to go through.

Regards,

Giovani

Hi Giovani,

thanks for the reply!

I already checked all user and automatic firewall rules, and there's no such rule.

I've also created recently 2 new VLANs (as "Ethernet VLAN" interfaces), and the same happens, I can reach one VLAN to the other without restriction..

regards.

Please, provide us with a screenshot of your firewall rules so we can help you. Unless you are using Layer 3 switches and routing packets through the switch using it as the default gateway for the endpoints, a firewall rule is the only possible explanation.

Hi Giovani,

thanks for the reply but about the screenshot, there all are internal names so it won't be of help.

Also, do you think that existing Firewall rules could apply to newly created VLANs ("Ethernet VLAN") in the Sophos?

Because I did created two new VLANs, and they can see each other, and I run a TCP traceroute and from one VLAN to the other, they get routed to the Sophos (as it's in fact the GW for the VMs).

regards

Have you used tcpdump to determine whether or not this traffic is actually transiting the UTM?

Cheers - Bob

Hi Bob,

yes, I did, the Sophos sees the traffic from one VLAN to the other. For example I tested it on RPC (3389) and I was able to see the traffic :

09:21:06.348607 IP (tos 0x10, ttl 62, id 11812, offset 0, flags [DF], proto TCP (6), length 85)
10.0.1.2.21 > 10.0.2.2.59962: Flags [P.], cksum 0x30c9 (correct), seq 362:395, ack 39, win 227, options [nop,nop,TS val 986811078 ecr 1107179336], length 33
09:21:06.349732 IP (tos 0x0, ttl 63, id 361, offset 0, flags [DF], proto TCP (6), length 52)
10.0.2.2.59962 > 10.0.1.2.21: Flags [F.], cksum 0xf96c (correct), seq 39, ack 395, win 237, options [nop,nop,TS val 1107183903 ecr 986811078], length 0
09:21:06.350748 IP (tos 0x10, ttl 62, id 11813, offset 0, flags [DF], proto TCP (6), length 65)
10.0.1.2.21 > 10.0.2.2.59962: Flags [P.], cksum 0x32ac (correct), seq 395:408, ack 40, win 227, options [nop,nop,TS val 986811080 ecr 1107183903], length 13
09:21:06.350758 IP (tos 0x10, ttl 62, id 11814, offset 0, flags [DF], proto TCP (6), length 52)
10.0.1.2.21 > 10.0.2.2.59962: Flags [F.], cksum 0xf966 (correct), seq 408, ack 40, win 227, options [nop,nop,TS val 986811080 ecr 1107183903], length 0
09:21:06.351085 IP (tos 0x10, ttl 63, id 36234, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.2.59962 > 10.0.1.2.21: Flags [R], cksum 0x57ec (correct), seq 2243638946, win 0, length 0
09:21:06.351092 IP (tos 0x10, ttl 63, id 36235, offset 0, flags [DF], proto TCP (6), length 40)
10.0.2.2.59962 > 10.0.1.2.21: Flags [R], cksum 0x57ec (correct), seq 2243638946, win 0, length 0

TCP traceroute from 10.0.1.2 to 10.0.2.2 port 21 (FTP):

traceroute to 10.0.2.2 (10.0.2.2), 30 hops max, 60 byte packets
1 10.0.1.1 0.475 ms 0.431 ms 0.411 ms
2 10.0.2.2 1.831 ms 1.815 ms 1.799 ms
3 10.0.2.2 <syn,ack> 1.783 ms 1.768 ms 1.752 ms

Same for RDP and other TCP ports

regards.

Traceroute and pinging are regulated on the 'ICMP' tab of 'Firewall', so those don't relate.  However the tcpdump shows that port 21 traffic transits the UTM between the two VLANs and that's irrefutable proof that you have a firewall rule allowing the traffic or that your UTM is "sick" and should be re-imaged and perhaps reconfigured from scratch.  I'm with Giovani though, so my money is on the firewall rule.

Cheers - Bob

Hi Bob,

the traceroute I ran is a TCP one (you can see the syn and the ack), not ICMP.

About the firewall rule, I haven't found any, but anyway, then it is possible to have a firewall rule that will affect future "Ethernet VLAN" interfaces? or is because they are all under "lag0.x" (x been VLAN) and belonging to the same LACP interface, that they apply?

There's no reason other than an Any-Any firewall rule that I can think of.  Just for grins, you could apply #2 in Rulz and create6 NAT rules like:

DNAT : VLANx -> Any -> VLANy : to {non-existent IP}

Any luck with that?

Cheers- Bob

There's no reason other than an Any-Any firewall rule that I can think of.  Just for grins, you could apply #2 in Rulz and create6 NAT rules like:

DNAT : VLANx -> Any -> VLANy : to {non-existent IP}

Any luck with that?

Cheers- Bob