Results 1 to 6 of 6
  1. #1
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Unhappy Missing something simple - DMZ rules

    I just setup a new device with 3 interfaces
    External - [static IP]
    Internal - 192.168.1.0/24
    DMZ - 192.168.2.0/24

    Straight from the wiki is a description of what I want to accomplish:
    If you're looking for a guest WiFi network walled off from your private network, the easiest way is to plug the wireless AP into its own interface and configure the Untangle to hand out DHCP on that interface. You can then use the Firewall to wall off that interface from connecting to your private network.

    Wireless AP is plugged into the DMZ and DHCP is working properly. Internet is working correctly on both Internal and DMZ network segments.

    So far so good but I also want to separate the two networks as described in the wiki. I have added and enabled the firewall rules shown in the attachments to attempt to block traffic between Internal and DMZ. The default action of the firewall is pass and there are no other firewall rules. However, I can ping between the interfaces and ever RDP to a server from the DMZ - not a desired action. Nothing shows in the firewall logs as blocked or passed. Is there a settings somewhere that is bypassing my rules or do my rules need to be modified?

    I am sure this is very simple but the "duh" moment has not hit me yet. Maybe one of you kind souls can show me the error of my ways.

  2. #2
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

    Default

    ping is going to work unless you change TCP & UDP to Any.
    is all the traffic going through one rack?

  3. #3
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Ok - just changed traffic type to "any" in both rules. From 192.168.1.x I can still ping the 192.168.2.254 DMZ port. I don't have any other devices on 192.168.2.x yet until I secure that network segment.

    Yes, there is only one rack. I have not specifically assigned DMZ to a rack - assumed that default would apply to everything unless otherwise changed. Is it possible that the DMZ traffic is bypassing the default rack? I did not add any bypass rules beyond the standard install.

  4. #4
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

    Default

    without any policies it should indeed all be going to the default rack.

    traceroute / Packet Test shows the traffic going through the Untangle?
    you don't have any Bypass rules that might be affecting the traffic, do you?

    try using the Packet Filter to block traffic flow between them.

  5. #5
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Now this is really getting weird....power supply went out over the night. Replaced power supply and it is up and running again.

    I added a packet rule and it did indeed block traffic between the networks. However, I removed the rule and now the firewall rules are blocking some traffic???? They still do not block ping traffic from DMZ to Internal. However, they now block and log connections on 80, 3389 and other ports between DMZ and Internal. No other changes made.

    The gateway ports seem to be treated differently by the firewall rules. If I tracert from 192.168.1.x to 192.168.2.x the route starts with 192.168.1.254 - default internal gateway. If I tracert from 192.168.1.x to 192.168.2.254 - default DMZ gateway - it does *not* go through default internal gateway - just a direct connection to 192.168.2.254.

    Seriously considering starting over with this installation......

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Quote Originally Posted by hlarsen View Post
    ping is going to work unless you change TCP & UDP to Any.
    is all the traffic going through one rack?
    This is embarrassing...

    The firewall cannot control protocols other than TCP and UDP. The "any" field in the firewall module may as well not even be there. It's TCP, UDP, or both.

    Why? Because those are the only traffic types processed by the UVM itself, no other protocols even enter the rack, much less the firewall module.

    If you want to control protocols other than TCP and UDP you MUST use the packet filter.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2