General question about routing between VLANs
Hello!
We are running a T40 as a firewall between internal (trusted) network and the internet.
So far we had a single VLAN 10 configured which was output to interface #1 untagged. It's in zone "Trusted".
Now I added a second VLAN 40, which uses a different IP range ad is also in "Trusted" zone. It's output on interface #3.
To my surprise, pinging a device in VLAN 10 from VLAN 40 is possible. I suspect the Firewall rules to allow that, because the rule "ping" is allowing traffic from "Any-Trusted" and "Any-Optional" to "Any".
What's the basic approach when configuring the rules for new VLANs so that those VLANs can't see each other?
Best regards,
Hamph
0
Sign In to comment.
Comments
If you change the ping rule from
FROM ANY TRUSTED, ANY OPTIONAL
TO ANY
to
FROM ANY TRUSTED, ANY OPTIONAL
TO Any External
The pings will not be able to traverse to other trusted networks.
As Bruce mentioned, you can also use the custom interface type, but you will need to ensure those interfaces have rules that mention that interface by name, as the normal any-trusted rules will not handle traffic for that type of interface.
-James Carson
WatchGuard Customer Support
James, Bruce,
thank you for the helping hand!
I understand that using "ANY EXTERNAL" in the ping rule still allows to ping between devices belonging to same VLAN and subnet, because they don't get routed through the T40. Is that correct?
The only other rule which allows traffic to "Any" is our SSL VPN rule (last in list):
It allows any VPN user to route traffic into any network. It means that VPN traffic can be routed into any VLAN? I'd like to prevent that, because VPN user should only get into the default (production) VLAN. But if i change the "To" clause to something different, is outgoing traffic (from our network to the VPN user) still routed?
Best regards,
Hamph
Packets on the same subnet do no go to the firewall - they get transmitted directly via Ethernet.
The From: and To: fields on a policy identify what source is allowed to go to what destination.
To : Any means all interfaces etc. unless it is a Custom type.
One would need a policy for each direction.
Note that reply packets are allowed by default.
Sorry for revive this thread, but I'm still not sure how to understand the VPN rule:
The rule "Allow SSLVPN-Users" only applies to content for users which have authenticated successfully by VPN, right? So it does not affect the authentification / log-in process because this is covered by rule "WatchGuard SSLVPN", according to this article:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_policies.html
@Bruce_Briggs:
"One would need a policy for each direction."
This refers to the fact that one policy is required for packets outgoing to "Any-External", another policy is required for internal traffic (e.g. "Any-Trusted"), did I understand correctly?
If I want to name specific VLANs to which the traffic gets routed inbound (instead of "Any-Trusted"), is there a way to specify that?
Best regards,
Hamph
My answer is in response to this, from you:
"But if i change the "To" clause to something different, is outgoing traffic (from our network to the VPN user) still routed?"
One needs an outgoing policy for SSLVPN-Users to allow "outgoing traffic (from our network to the VPN user)"