EFW Support

Support => General Support => Topic started by: jmz on Monday 26 November 2012, 03:42:05 am


Title: Traffic LAN is not being firewalled
Post by: jmz on Monday 26 November 2012, 03:42:05 am
Hello,

I have installed Endian as a virtual machine under Proxmox. The idea is that Endian controls de the trafic of all Virtual Machines.

It is a simple setup:
Internet-> Endian (Virtual Machine)->LAN (virtual machines)

Everything seems to work perfectly but one strange thing:
Endian is not controlling the trafic betheen Virtual Machines. I mean, if traffic leaves VM 192.168.0.16 with destination to VM 192.168.0.17, Endian doesn't see that traffic as packets goes directly from 192.168.0.16 to 192.168.0.17 without passing through the gateway. So it is imposible to firewall the traffic INSIDE the LAN (Green zone). Any rule will be ignored as traffic doesn't travel trhough the firewall.

What I want is that all traffic between the green zone must go throuch Endian Gateway (192.168.0.15) before they arrive to destination. In the exmaple above will be:
192.168.0.16 -> 192.168.0.1 -> 192.168.0.17

I don't know if this is the normal setup or I have something missconfigured. But again, the rest of things are working perfectly.

How can I achive what I am looking for?

Thanks.

Title: Re: Traffic LAN is not being firewalled
Post by: vazromju on Thursday 29 November 2012, 09:36:24 am
Hi.
Let's see if I can help you.

Before doing layer 3 (ip addressing) the computers use Layer 2
so, when a machine want to go from 192.168.0.17 to 192.168.0.16 it uses first layer 2 and says something like
"who has 192.168.0.16?" broadcasting the network in layer 2.
this machine .16 answers with its own mac address "aa:bb:cc:00:11:22" directly reachable without cross the firewall due it is in the same broadcast domain, and the layer 3 packet is directly delivered to this address.

I don't know Proxmox, but the only solution is creating a third network (orange or blue) and add the virtual machines to this network (.16) and a second network card to the efw, connected to the orange or blue, and activating the inter-zone firewall.

as I have written before, I don't know Proxmox functionality, in fact it is the first time I have heart about it but with vmware esxi it is possible to do the second option I have explained you, it works, and esxi hypervisor is free.


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media