Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 29 December 2024, 10:08:13 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  restrict access between hierarchical networks
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: restrict access between hierarchical networks  (Read 13810 times)
dimicool
Jr. Member
*
Offline Offline

Posts: 6


« on: Friday 18 November 2011, 02:14:29 am »

I'm trying (but failing) to set up following architecture:
I'll leave out the unimportant details,

I have a router A that 's connected to the cable modem, (192.168.1.1), this one feeds network A with IPs.
One of the PCs in that network (192.168.1.111 - with 2 NICs) has  a Virtual Machine (this makes the whole thing tricky) running with Endian.
This Endian (router B) (10.1.1.1 on GREEN and 192.168.200 on RED) feeds a subsidiary network.

Now, by default ,pc 's like 192.168.1.200 can access pc's like 10.1.1.200 and vice versa.
This is what I want to change. Ideally, I would like 10.1.1.200 to connect/see/browse 192.168.1.200 but NOT the other way around.
Is this possible ?
If not, how can I (simply) block both ways ?

Thanks to the network gurus for any advice !!

grtz,
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Friday 18 November 2011, 02:55:13 am »

By creating rules on outgoing firewall you can allow one-way traffic from GREEN to RED. It's more difficult creating rules from RED to GREEN, and I don't recommend them for that setup.

Endian rules are one way rules. This means you can allow some traffic to one direction, but not the opposite.
I.e. You have a web server (TCP port 80) on ORANGE zoe, and you want that your ppl at GREEN zone can use it.
Simply create a rule with source GREEN, dest ORANGE and allowing the TCP Port 80.
The web server can't reach clients (as it's on ORANGE zone), but clients can use the webserver.

Just search for the ports you need to use, and create the correct rules.
Logged
dimicool
Jr. Member
*
Offline Offline

Posts: 6


« Reply #2 on: Friday 18 November 2011, 03:02:54 am »

Thanks for your reply, I 'm trying to take in your suggestions ..

However,
- I don't have ORANGE (can't choose it)
- am not talking about http on 80 but real file/network access.

Really could use some guidance, it has been a long time, and I 'm honestly a bit confused with the fact that the endian isn't real machine...
The Windows box (host of Endian VM) has the 2 NICs, each of them has an IP.
What I 'm confused about is also that from the 192.168.1.1 point of view the Win BOX has IP 192.168.1.111, but the RED on ENDIAN has 192.168.1.200

Logged
dimicool
Jr. Member
*
Offline Offline

Posts: 6


« Reply #3 on: Saturday 19 November 2011, 12:12:49 am »

I'm still struggling with this ..
I made a simple draft on how the setup looks like ..

I made it difficult by putting the Endian in a VM inside a server with 2 NICs (but that's only way )
So my surprise, the host (Windows) also can use the 10.1.1.1 IP, because of this it can access the PCs in group B.
The goal is to restrict access between network A and network B.

thanks for any tips !!!
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #4 on: Saturday 19 November 2011, 03:56:11 am »

Computers in group A can't access computers in group B, as they are on RED zone.
Depending on your rules, A can reach B.

If the host can access B, it's because you added it to B. It probably has some NIC with an IP of subnet B. Remember that VM hosts doesn't need to be on the same subnets that guest machines. You perfectly can remove the IP of B subnet on host, and your guest keep working.
Logged
dimicool
Jr. Member
*
Offline Offline

Posts: 6


« Reply #5 on: Monday 21 November 2011, 11:25:46 pm »

just an update in cause one would think that silence == solution.... I still didn't resolve this..
I can get my  around it and the more I fiddle the more I mess up .

btw, PC in group A DO CAN access group B  (to my surprise)

I"m sure it's a subnet config issue somewhere ..

Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com