VLANs Isolation - Duplicated Rules?

[idscomm]

Hello,

Still fairly new with Untangle (but good Network and Firewall Experience), I have been testing it for a few days now before committing and purchasing my license (coming from check point and pfsense). I did some research in regards to config and here's what I found and did to resolve my issue:

I have 1 LAN, 4 VLANs, 1 WAN

To want to completely isolate all VLANs and LAN, I used the filter rule and created a block rule for non-wan to non-wan.

Above this rule I created other rules to let some devices access other devices either from a VLAN to a VLAN or to the LAN. Am I correct to say that I need to also create a Firewall Rule which reflects the Filter rule? Because if I don't the traffic does not flow.

I tried to create only the filter rule and only the firewall rule but the traffic did not flow unless both rules were created and enabled.

Am I doing anything wrong? Is it the right way to do things?

Thanks in advance.

[soldier]

I'm not sure if you need to create extra firewall rules, but I'm no expert. For me, to allow traffic via different interfaces in LAN (phisical or virtual) it's enough to create filter rules. If I want to allow trafic to / from one interface or IP to another and specific port only, I create this kind of rule (example: Source interface-TV >> Destination Address-IP or interface in the LAN>>Destination port 8096). This allows users or devices in Source Interface (in my case my TV's to connect to Emby server (Destination Address) and can play some movies or TV shows through port 8096. And yes, my final rule (at the bottom) is same as yours, blocking Any Non-WAN (Source interface) to Any Non-WAN (Destination Address). All other (Allow) rules are above that rule. And it all works just fine without additional Firewall Rules. Maybe someone could provide more knowledge why would or should Firewall Rules be applied in this case.
Can you provide some sample cases what are you trying to do and we can go from there, to try different options which might work.

[sky-knight]

Untangle has a critical concept that you must understand.

All apps run inside the UVM (Untangle Virtual Machine), the UVM only processes TCP and UDP. Ergo, the Firewall App will ONLY see TCP and UDP.

Apps have superior visibility. The platform rules (filter rules), are performed in the Linux kernel and while not as visible, provide superior performance. The kernel is very efficient.

So, if you want to isolate VLANs from each other, you can do so with a filter rule, and that's all you need to do. BUT, doing so means NO LOGS. If that's OK with you, then it's over. Creating Firewall rules to catch traffic the filter rules are already dealing with is redundant. They'll never catch anything, because the filter caught it first!

That being said, I prefer to isolate my VLANs with filter rules that select all protocols EXCEPT TCP and UDP, then back those up with firewall app rules that block TCP and UDP. Then I get my full isolation AND logs. Pass rules are then firewall app rules, that is unless I need to pass a protocol that isn't TCP and UDP.

[idscomm]

Thanks for the reply @soldoer and @sky-knight.

So I understand properly that Filter Rules are at the Kernel level and Firewall app handled after. I did try again tonight to disable my firewall rule and the traffic stopped flowing. This is the rule I have (allowing my LAN to access my NVR on the Surveillance VLAN)

Filter Rules:
Source Interface -> LAN / Destination Address -> NVR IP Address / Protocol -> TCP / Destination Port -> 8080

I have the exact same rule on the Firewall Side and if I disable this rule my LAN can't access the NVR! This is strange as I did believe that Filter Rules would supersede the Firewall app (and I am correct thinking that as per Sky-Knight's reply)

And I agree with the No Logs statement, this is really hard to troubleshoot without logs and yes I do prefer have the opportunity to Log traffic.

Untangle is very different than any other Products I worked with before...

[jcoffin]

It is not supersede. Filter rules are layer 3 and Firewall app is layer 7. It's separate area which either one can block or pass. We need to see all the rules and their action since first rule to match exits the rest of the rules.

[idscomm]

So the behaviour I am seeing (having to create a Filter Rule and a Firewall Rule) is normal? I am just looking to see if I misconfigured something...

[sky-knight]

It's an onion...

The kernel is an outer shell, the UVM is the inner.

All non-bypassed traffic is subject to BOTH. By default, nothing is blocked anywhere. So if you need both rules, it's because you configured a block in the firewall app that is requiring the 2nd pass rule.

Incidentally that's what bypass rules are... they "bypass" the UVM, marking the traffic as subject only to the kernel.

[idscomm]

ok, I understand the principle of the "onion" ; ) which make sense... I do have that Filter Rule to Block Any Non Wan to Any Non Wan in last and then in the Firewall App, my last rule is Block anything else where I put a block rule with no conditions.

I have not touched the Bypass Rules where the VOIP are set by default. I played with the Filter Rules just so we are not mixing both. So I guess it's normal then that I need both rules in place to allow my traffic to flow (Filter and Firewall)....

[sky-knight]

Based on what you just described yes, it sounds like it's doing exactly what it should... that is what you told it to do.

[soldier]

So I guess it's normal then that I need both rules in place to allow my traffic to flow (Filter and Firewall)....

No it's not normal. You don't need both rules to allow traffic to flow. Firewall rule is additional layer of security and if something is passed you can monitor that in reports and improve your rule.
Like @jcoffin says "We need to see all the rules and their action since first rule to match exits the rest of the rules."
If you want to experiment further try this Filter Rule (without Firewall Rule) as per your example:
Filter Rules:
Source Interface -> LAN / Destination Address -> NVR IP Address / Destination Port -> 8080 / Action -> Pass (no protocol) and put this rule on first place and see what happens. I'm curious if this would work. I presume your computer or device from which you would like to access your NVR is part of the interface called LAN?