Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Dec 2020
    Posts
    50

    Default Firewall rules to block access to specific VLANs from internal network

    Hi all,
    I have a VLAN that's configured in the firewall to block destination and source traffic to everything except Any WAN.
    Why am I able to ping the devices on the VLAN from my internal network?

    Rules:
    Source interface is GUEST WIFI VLAN and Destination Interface is not Any WAN Block
    Destination interface is GUEST WIFI VLAN and Source Interface is not Any WAN Block

    Thank you in advance for your help.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,891

    Default

    I know some people use multiple interfaces and let Untangle handle internal routing, but in my network at least Untangle is the gateway and only the gateway, and internal routing is handled via a layer-3 capable switch (which I suppose technically makes the switch a router).

    With that in mind, Untangle only matters for traffic that passes through it. If you can get from one vlan to another without passing through Untangle, your rules won't matter.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.4.1 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    Also, the firewall app like all UVM apps only sees TCP and UDP... you can't test with ICMP (Ping).
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Dec 2020
    Posts
    50

    Default

    Thanks.
    Forgot to mention that the device on that tagged vlan is connected to a unifi managed switch, plugged into a port that is configured to only route traffic across that vlan tag. That VLAN has a dhcp enabled on untangle, and devices connected to that port on the switch are getting dhcp addresses from that range, so I know the vlan is configured properly on the switch port.

    Sky, okay, that makes sense. Just tried accessing a HTTP site on that device, and I can't - so I guess it is working.
    Is there anyway to create a rule in another App/Setting in untangle that will block ICMP between VLANs?

    Thanks again for your help

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    If you want to control ICMP across VLANs, then you'll want a filter rule. (config -> networ -> filter)

    Now, in that rule you can specify the protocol flag, feel free to check all the boxes EXCEPT TCP and UDP.

    Source interface, any-non-wan
    Destination interface, any-non-wan

    That rule will prevent all nonTCP or UDP traffic from happening across VLANs, ICMP is one of them. While leaving TCP and UDP to flow, so you get the nice firewall app logging and control. While this rule also doesn't impact anything transiting to a WAN interface, so Internet access either direct or over a tunnelVPN tunnel works.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,891

    Default

    ^^^^ What he said.

    Just be very careful messing with filter rules, especially broad rules that impact entire vlans. It's very easy to accidentally break things in a way you can't put right again without re-installing Untangle from scratch.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.4.1 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    That's access rules!

    Filter rules shouldn't be able to muck with traffic to / from Untangle itself.

    So while you can goof things up so bad you have to login from the local network, that's about the worst of it. Still, if that Untangle is many miles away... yeah... there be dragons here!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangler
    Join Date
    Dec 2020
    Posts
    50

    Default

    Thank you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2