Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Newbie
    Join Date
    Apr 2020
    Posts
    2

    Default Filter Rules Between vLANs

    Hi,

    I currently have a total of 4 vLAN networks. At the moment they are all NAT'd in order to prevent communication between them. However, we now have the need to allow access to one of them from one other on a specific port only and to a specific IP.

    I understand in order to achieve this I need to disable NAT on the two interfaces affected but I'm then unsure what filter rules I'd need to setup. I don't want to simply try this out in case I end up losing access all together to Untangle or something equally as silly.

    Any help/pointers would be greatly appreciated.

    Thanks in advance and hope you're all keeping safe.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,691

    Default

    Don't use NAT on the non WANs. Use filter rules in Config -> Network -> Filter Rules instead.

    Example:

    block-interfaces-vlans.jpg
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,163

    Default

    I prefer any non-wan to any non-wan as a block.

    Then I make other rules above it selecting specific interface sets you want to allow traffic to flow on.

    Finally, I use the firewall module to select which traffic I want to flow.

    Three rules, in two different tools.
    Jim.Alles and pcwatermods like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    Apr 2020
    Posts
    2

    Default

    So.....

    1. Disable NAT on all non-wan connections.

    2. Create a rule in 'filter rules' to block all traffic 'any non-wan' interface to 'any non-wan' interface.

    3. Then create further rules in 'filter rules' above the block one for any traffic I want to allow through?

  5. #5
    Untangler
    Join Date
    Mar 2020
    Posts
    38

    Default

    Silly question; I was thinking about blocking any non-wan to any other non-wan, but was nervous about blocking myself out of my Untangle. Is this an unfounded fear?

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,691

    Default

    Each interface has access to the Untangle GUI at the IP of the interface so you are fairly safe.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    Nov 2018
    Posts
    119

    Default

    Quote Originally Posted by sky-knight View Post
    I prefer any non-wan to any non-wan as a block.

    Then I make other rules above it selecting specific interface sets you want to allow traffic to flow on.

    Finally, I use the firewall module to select which traffic I want to flow.

    Three rules, in two different tools.
    Thanks @sky-knight, helpful as always. Silly me, I created block rules for each network (10 of them) to any Non-WAN instead of creating one rule as per your suggestion

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,163

    Default

    Filter rules control traffic passing through Untangle.

    Access rules control traffic terminating on Untangle.

    The latter is in the advanced section for a reason, that's the feature that can lock you out of your Untangle!

    So free to experiment with filter rules to your hearts content, you'll be able to break things certainly but you won't lose access to Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Jan 2019
    Posts
    1

    Default

    Sky-Knight, Would it be possible for you to provide screenshots on how you've implemented those three rules within the two different tools? I am trying to get my vLAN isolation configured correctly without locking myself out my UT.

    Thanks in advance.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,163

    Default

    That would be problematic, blindly copying someone else's settings removes the understanding required to service them going forward.

    And, as I said before there is no risk of locking yourself out of Untangle unless you mess around in the advanced tab's input rules. Stay out of the advanced tab, and you'll never lock yourself out.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2