Hi All,

I just wanted to make sure that I had the correct understanding on the use of mulitple racks and the Policy Manager.

I believe that the following is true:


The Default Rack processes all traffic not explicitly directed away to other racks / no rack.
Seperate policies are needed for each type of traffic, such as client traffic on an internal range needs to be in a seperate policy from server traffic in the same range.
The same as above for the DMZ Range.


The reason I am querying this is I am applying a seperate set of rules to a subrange of our Internal LAN, of which there are a couple of NAT Port Forwards in effect as well (Email and another service) which require the Firewall module to regulate access from the outside.

In essence, I believe I need to (in addition to the default no rack policy for outbound email, amended to only operate for email servers by IP):


Create a Policy to permit specific subnet out via their rack (Client Interface = Internal, Client Address = subnet range).
Create a Policy to permit external connections into subnet via the same rack (Server Interface - Internal, Server Address = subnet range).
Repeat for the DMZ.


How does this sound to people? :worship:

Thanks

Steve

That is exactly what the multi-rack setup is for. With AD integration you can even reroute traffic based on username.

OK... only problem is that I cannot get my internal network to see my DMZ. I think it is NATting somewhere along the line. Is this a Bypass job, and how do I set it?

DMZ is considered "less trusted" if you want traffic to pass between it and internal you must explicitly define firewall/packet filter rules to pass the traffic.

Hi Sky-knight,

Thanks for this. I had already defined firewall rules, but it wasn't playing. A quick phone call to Untangle Support (was on a deadline to get it sorted last night) resulted in a quick addition of packet filter rules, which did the trick.

Thanks again for the help!

Steve