How can I deny inter-VLAN routing

there must be a firewall rule allowing traffic between internal and internal2.

possible this FW-rule ist created automatically.

select "show all" to check this.

There is no automatic firewall rule that would indicate that. The only thing that is there is some DNAT port forwarding rules to specific IPs

There is a firewall rule added by the installation wizard:
Internal -> Any Service -> Any Network

I thought that rule was what was doing the routing, so I added an explicit drop (and I tried reject) action rule before the above rule:
Internal -> Any Service -> Internal2

ping is handled separately ... configure somewhere at firewall/ICMP settings

also HTTP Proxy may forward port80 traffic without FW-Rule.

As Perry said, if you allow ICMP trough UTM no firewall rule will block it. Check https://community.sophos.com/kb/hu-hu/121415. If you are passing ICMP through, do your tests using any other protocol as any ICMP will be allowed.

Sophos UTM blocks everything unless specifically allowed, so you you actually don't need a rule to block this access.

You are right about the default created rule, as it would allow endpoints on the "Internal" network to access endpoints on the "Internal2" network, but not the other way around. But you have taken care of that already.

Also check you masquerade NAT rule and make sure it masquerades only to external interfaces.

Regards,

Giovani

As Perry said, if you allow ICMP trough UTM no firewall rule will block it. Check https://community.sophos.com/kb/hu-hu/121415. If you are passing ICMP through, do your tests using any other protocol as any ICMP will be allowed.

Sophos UTM blocks everything unless specifically allowed, so you you actually don't need a rule to block this access.

You are right about the default created rule, as it would allow endpoints on the "Internal" network to access endpoints on the "Internal2" network, but not the other way around. But you have taken care of that already.

Also check you masquerade NAT rule and make sure it masquerades only to external interfaces.

Regards,

Giovani

I'll need to go back onsite to fully test, but can you explain the masquerade NAT rule? I currently have Any -> WAN (interface), would I need to change that?

Nope, that's good.

Unless you have another firewall rule allowing those networks to talk to each other, I don't see how this could be happening. Is the UTM the default gateway for both networks?

Regards,

Giovani

Yes both internal networks have their respective gateways as the IP defined in the Sophos i.e. 10.10.10.1 and 10.10.20.1

I think I might have had the HTTP Proxy on earlier when I was testing. I'll have to try again to be sure, since I don't have a computer on the 2nd network at the moment.

Yes, if you have Web Protection enabled and what is passing is HTTP/S traffic, then that's it, as the traffic will be relayed by the proxy to the other network. You'll have to block that access through Web Protection policies if that's the case.

Regards,

Giovani

Hi, Perry, and welcome to the UTM Community!

You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

Cheers - Bob