Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Untanglit
    Join Date
    May 2021
    Location
    Nova Scotia, CA
    Posts
    20

    Question VLANs Isolation - Duplicated Rules?

    Hello,

    Still fairly new with Untangle (but good Network and Firewall Experience), I have been testing it for a few days now before committing and purchasing my license (coming from check point and pfsense). I did some research in regards to config and here's what I found and did to resolve my issue:

    I have 1 LAN, 4 VLANs, 1 WAN

    To want to completely isolate all VLANs and LAN, I used the filter rule and created a block rule for non-wan to non-wan.

    Above this rule I created other rules to let some devices access other devices either from a VLAN to a VLAN or to the LAN. Am I correct to say that I need to also create a Firewall Rule which reflects the Filter rule? Because if I don't the traffic does not flow.

    I tried to create only the filter rule and only the firewall rule but the traffic did not flow unless both rules were created and enabled.

    Am I doing anything wrong? Is it the right way to do things?

    Thanks in advance.

  2. #2
    Master Untangler
    Join Date
    Nov 2018
    Posts
    117

    Default

    I'm not sure if you need to create extra firewall rules, but I'm no expert. For me, to allow traffic via different interfaces in LAN (phisical or virtual) it's enough to create filter rules. If I want to allow trafic to / from one interface or IP to another and specific port only, I create this kind of rule (example: Source interface-TV >> Destination Address-IP or interface in the LAN>>Destination port 8096). This allows users or devices in Source Interface (in my case my TV's to connect to Emby server (Destination Address) and can play some movies or TV shows through port 8096. And yes, my final rule (at the bottom) is same as yours, blocking Any Non-WAN (Source interface) to Any Non-WAN (Destination Address). All other (Allow) rules are above that rule. And it all works just fine without additional Firewall Rules. Maybe someone could provide more knowledge why would or should Firewall Rules be applied in this case.
    Can you provide some sample cases what are you trying to do and we can go from there, to try different options which might work.
    Last edited by soldier; 05-31-2021 at 12:28 PM.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,038

    Default

    Untangle has a critical concept that you must understand.

    All apps run inside the UVM (Untangle Virtual Machine), the UVM only processes TCP and UDP. Ergo, the Firewall App will ONLY see TCP and UDP.

    Apps have superior visibility. The platform rules (filter rules), are performed in the Linux kernel and while not as visible, provide superior performance. The kernel is very efficient.

    So, if you want to isolate VLANs from each other, you can do so with a filter rule, and that's all you need to do. BUT, doing so means NO LOGS. If that's OK with you, then it's over. Creating Firewall rules to catch traffic the filter rules are already dealing with is redundant. They'll never catch anything, because the filter caught it first!

    That being said, I prefer to isolate my VLANs with filter rules that select all protocols EXCEPT TCP and UDP, then back those up with firewall app rules that block TCP and UDP. Then I get my full isolation AND logs. Pass rules are then firewall app rules, that is unless I need to pass a protocol that isn't TCP and UDP.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untanglit
    Join Date
    May 2021
    Location
    Nova Scotia, CA
    Posts
    20

    Default

    Thanks for the reply @soldoer and @sky-knight.

    So I understand properly that Filter Rules are at the Kernel level and Firewall app handled after. I did try again tonight to disable my firewall rule and the traffic stopped flowing. This is the rule I have (allowing my LAN to access my NVR on the Surveillance VLAN)

    Filter Rules:
    Source Interface -> LAN / Destination Address -> NVR IP Address / Protocol -> TCP / Destination Port -> 8080

    I have the exact same rule on the Firewall Side and if I disable this rule my LAN can't access the NVR! This is strange as I did believe that Filter Rules would supersede the Firewall app (and I am correct thinking that as per Sky-Knight's reply)

    And I agree with the No Logs statement, this is really hard to troubleshoot without logs and yes I do prefer have the opportunity to Log traffic.

    Untangle is very different than any other Products I worked with before...

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,628

    Default

    It is not supersede. Filter rules are layer 3 and Firewall app is layer 7. It's separate area which either one can block or pass. We need to see all the rules and their action since first rule to match exits the rest of the rules.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untanglit
    Join Date
    May 2021
    Location
    Nova Scotia, CA
    Posts
    20

    Default

    So the behaviour I am seeing (having to create a Filter Rule and a Firewall Rule) is normal? I am just looking to see if I misconfigured something...

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,038

    Default

    It's an onion...

    The kernel is an outer shell, the UVM is the inner.

    All non-bypassed traffic is subject to BOTH. By default, nothing is blocked anywhere. So if you need both rules, it's because you configured a block in the firewall app that is requiring the 2nd pass rule.

    Incidentally that's what bypass rules are... they "bypass" the UVM, marking the traffic as subject only to the kernel.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untanglit
    Join Date
    May 2021
    Location
    Nova Scotia, CA
    Posts
    20

    Default

    ok, I understand the principle of the "onion" ; ) which make sense... I do have that Filter Rule to Block Any Non Wan to Any Non Wan in last and then in the Firewall App, my last rule is Block anything else where I put a block rule with no conditions.

    I have not touched the Bypass Rules where the VOIP are set by default. I played with the Filter Rules just so we are not mixing both. So I guess it's normal then that I need both rules in place to allow my traffic to flow (Filter and Firewall)....

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,038

    Default

    Based on what you just described yes, it sounds like it's doing exactly what it should... that is what you told it to do.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler
    Join Date
    Nov 2018
    Posts
    117

    Default

    Quote Originally Posted by idscomm View Post
    So I guess it's normal then that I need both rules in place to allow my traffic to flow (Filter and Firewall)....
    No it's not normal. You don't need both rules to allow traffic to flow. Firewall rule is additional layer of security and if something is passed you can monitor that in reports and improve your rule.
    Like @jcoffin says "We need to see all the rules and their action since first rule to match exits the rest of the rules."
    If you want to experiment further try this Filter Rule (without Firewall Rule) as per your example:
    Filter Rules:
    Source Interface -> LAN / Destination Address -> NVR IP Address / Destination Port -> 8080 / Action -> Pass (no protocol) and put this rule on first place and see what happens. I'm curious if this would work. I presume your computer or device from which you would like to access your NVR is part of the interface called LAN?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2