This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filter Profiles Enable VLANs to pass http & https data.

I'm new to VLANs so please forgive my ignorance if this is a simple mistake.

I've set up 3 VLANs on my network at home:

vlan1 (default, untagged) handles most of the traffic.
VLAN 30, tagged - guest
VLAN 40, tagged - stealThisWifi (one for fun)

Using the following equipment:

Unifi APs - untagged, tagged 30, tagged 40.
TP-Link TL-SG3216 Switch - 802.1q - AP, UTM, esxi ports set to: General, vlan 1 untag, vlans 30 and 40 tagged.
UTM 9.2 - eth0: external, eth1: "internal" (x.x.2.1/24), eth2 (VLAN 30) "Guests": x.x.30.1/24, eth2 (VLAN 40) "stealThisWifi": x.x.40.1/24

Masquerading: Internal -> External, Guests->External, stealThisWifi->External
NAT: Only very specific rules set up for any and internal -> external.

Firewall rules:

Guests, Internal, stealThisWifi; dns; -> any
Guests, stealThisWifi; web surfing; -> Internet IPv4
Guests, stealThisWifi; UnifiPortal; -> any, internal (network)
Everything else is internal (network) -> something or any -> specific services and location.

Web Filter Profile:

Name: StealThisWifi Profile

Allowed Networks: stealThisWifi (network)

Operation Mode: Transparent

Policies: stealThisWifi Policy, Base Policy

Web Filter Policies:

Name: stealThisWifi Policy

Users/Groups: Any

Time: Anytime

Filter Action: StealThisWifi Content Filter

Name: Base Policy

Users/Groups: Any

Time: Anytime

Filter Action: Default content filter block action

Ok, so with all that out of the way. Everything works great (with the web filter profile OFF). VLANs cannot intercommunicate (with the exception of to x.x.2.1, which may or may not be a problem), and have access to the web and their own subnet.
The problem is, if I enable the "stealThisWifi Policy," the filters are applied properly, but now that subnet (x.x.40.x) can access http and https sites on vlan 1 (x.x.2.x) (including the admin sites, which is what I'm trying to avoid). Turn off that policy, and it's quiet again.

Am I missing something, or doing something wrong? I don't want the vlans to be able to access anything on a different vlan without me creating a route for it (which is kinda the point), and I want to be able to apply different filters based on vlan memebrship. Surely there is a setting somewhere, or something simple that I missed.

Suggestions?

This thread was automatically locked due to age.

Parents

0 BAlfson over 11 years ago

WebAdmin automatically creates routes between subnets defined on the UTM's Interfaces, but you still need to create firewall rules to allow traffic between them. The Web Proxy has its own firewall rules. Also, consider #2 in Rulz.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 derrickoltmann over 11 years ago in reply to BAlfson

Ok, so I guess the better question would be, How do I tell the WebFilter to drop any packets that are not bound for the external network which I do not specifically allow?
Cancel
Vote Up 0 Vote Down

Cancel
0 derrickoltmann over 11 years ago in reply to derrickoltmann

Found the solution on another post here.

Web Protection -> Filtering Options -> Misc -> Transparent Mode Skiplist -> Place networks in "Skip transparent mode destination hosts/nets" -> untick "Allow Http/s traffic for listed hosts/nets"

I figured it was something simple, Appears Fixed.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 derrickoltmann over 11 years ago in reply to derrickoltmann

Found the solution on another post here.

Web Protection -> Filtering Options -> Misc -> Transparent Mode Skiplist -> Place networks in "Skip transparent mode destination hosts/nets" -> untick "Allow Http/s traffic for listed hosts/nets"

I figured it was something simple, Appears Fixed.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data