This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I deny inter-VLAN routing

I have the following Network topology

WAN -> eth1
Internal -> eth0 (default VLAN untagged) 10.10.10.0/24
Internal2 -> eth2 (VLAN 10 untagged) 10.10.20.0/24

On the switch, I simply have dedicated untagged ports for VLANs for the respective networks. My issue is I'm trying to isolate the internal networks from each other. I want to deny routing from Internal to Internal2 and vice-versa.

I've tried adding a No NAT rule from one network to the other but that didn't work. I also tried adding a firewall rule to drop packets from one network to the other and again i can still access it. I'm sure I'm missing something obvious that someone can point out.

This thread was automatically locked due to age.

Parents

0 dirkkotte over 8 years ago

there must be a firewall rule allowing traffic between internal and internal2.

possible this FW-rule ist created automatically.

select "show all" to check this.
Cancel
Vote Up 0 Vote Down

Cancel
0 Perry Stathopoulos over 8 years ago in reply to dirkkotte

There is no automatic firewall rule that would indicate that. The only thing that is there is some DNAT port forwarding rules to specific IPs

There is a firewall rule added by the installation wizard:
Internal -> Any Service -> Any Network

I thought that rule was what was doing the routing, so I added an explicit drop (and I tried reject) action rule before the above rule:
Internal -> Any Service -> Internal2
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 8 years ago in reply to Perry Stathopoulos

ping is handled separately ... configure somewhere at firewall/ICMP settings

also HTTP Proxy may forward port80 traffic without FW-Rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 giomoda over 8 years ago in reply to dirkkotte

As Perry said, if you allow ICMP trough UTM no firewall rule will block it. Check https://community.sophos.com/kb/hu-hu/121415. If you are passing ICMP through, do your tests using any other protocol as any ICMP will be allowed.

Sophos UTM blocks everything unless specifically allowed, so you you actually don't need a rule to block this access.

You are right about the default created rule, as it would allow endpoints on the "Internal" network to access endpoints on the "Internal2" network, but not the other way around. But you have taken care of that already.

Also check you masquerade NAT rule and make sure it masquerades only to external interfaces.

Regards,

Giovani
Cancel
Vote Up 0 Vote Down

Cancel
0 Perry Stathopoulos over 8 years ago in reply to giomoda

I'll need to go back onsite to fully test, but can you explain the masquerade NAT rule? I currently have Any -> WAN (interface), would I need to change that?
Cancel
Vote Up 0 Vote Down

Cancel
0 giomoda over 8 years ago in reply to Perry Stathopoulos

Nope, that's good.

Unless you have another firewall rule allowing those networks to talk to each other, I don't see how this could be happening. Is the UTM the default gateway for both networks?

Regards,

Giovani
Cancel
Vote Up 0 Vote Down

Cancel
0 Perry Stathopoulos over 8 years ago in reply to giomoda

Yes both internal networks have their respective gateways as the IP defined in the Sophos i.e. 10.10.10.1 and 10.10.20.1

I think I might have had the HTTP Proxy on earlier when I was testing. I'll have to try again to be sure, since I don't have a computer on the 2nd network at the moment.
Cancel
Vote Up 0 Vote Down

Cancel
0 giomoda over 8 years ago in reply to Perry Stathopoulos

Yes, if you have Web Protection enabled and what is passing is HTTP/S traffic, then that's it, as the traffic will be relayed by the proxy to the other network. You'll have to block that access through Web Protection policies if that's the case.

Regards,

Giovani
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 giomoda over 8 years ago in reply to Perry Stathopoulos

Yes, if you have Web Protection enabled and what is passing is HTTP/S traffic, then that's it, as the traffic will be relayed by the proxy to the other network. You'll have to block that access through Web Protection policies if that's the case.

Regards,

Giovani
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data