Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Nov 2018
    Posts
    42

    Default Allow traffic initiated by trusted LAN to untrusted VLAN, but not the reverse

    Hello,
    I'd like to set up separate VLANs for Kids, Guests, and IoT devices and would consider their devices as untrusted (all three are malware magnets).
    How do I set up rules to 1) allow traffic initiated by the trusted LAN to those untrusted VLANs, but still 2) deny traffic initiated by the untrusted VLANs to the trusted LAN?
    I ask because there will be cases where one of my trusted devices needs to initiate communication with an IOT device (like setting up a smart thermostat or a chromecast) but I don't want the IOT devices to be able to reach out to my trusted devices.

    Thank you for any assistance,
    Ari

    Info in case needed:
    I have untangle home pro 16.3.2 on a home-made server with 2 NICs, one is external WAN and one is internal LAN. This is connected to Netgear Plus switches and then to two Unifi wireless AP's. I'd initially like to just set the VLANs up on the wifi APs. (I may do wired devices later.)

    I have the following VLANs set up:
    2021-10-16_10-32-09.png

    Here is my current network map:
    network diagram4.png

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,743

    Default

    It's easy to do in Config -> Network -> Filter Rules.

    Code:
    Conditions:
          Source Interface = <untrusted network>
    Action : Block.
    This will still allow traffic from the trusted network since traffic is initialized from the trusted network.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    Note the above rule will also halt Internet access for the untrusted network.
    You should add another condition, destination interface = any non-wan to prevent this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Nov 2018
    Posts
    42

    Default

    I have set up the vLANs but am still trying to figure out the filter rules.
    For a test I tried to let the vLAN clients have access to the printer on the internal network and so have made the below rules. I can't ping the printer from the vLANs.
    2021-10-16_16-15-12.png

  5. #5
    Untangler
    Join Date
    Nov 2018
    Posts
    42

    Default

    Ah, while PING was blocked between VLANs, I can still do http traffic. Interesting.
    So with the rules above I can now 1) allow access from trusted network to VLANs, 2) block access from VLANs to trusted network, and 3) allow clients on VLANs to access specified addresses on the trusted network (such as the network-attached printer). So far so good.

    The next thing to do was to block clients on the VLAN from accessing the untangle administration page.
    I see this thread, so went to untangle Config --> administration --> admin, and then added the internal subnet and the OpenVPN subnet to the "Restrict Administration Subnet(s)". Now the clients on the untrusted VLANs can access the untangle admin login (confusing at first) but, if successfully logged in, it says that administration is restricted. Nice.

    Thanks for the assistance all.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    All of the above means you configured FIREWALL RULES instead of FILTER RULES.

    They aren't the same thing.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Nov 2018
    Posts
    42

    Default

    I agree that's what it sounds like, and good pick up, because the firewall blocks TCP/UDP while the filter rules can block essentially everything.
    But no firewall rules have been configured.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2