EFW Support

Support => General Support => Topic started by: dimicool on Friday 18 November 2011, 02:14:29 am



Title: restrict access between hierarchical networks
Post by: dimicool on Friday 18 November 2011, 02:14:29 am
I'm trying (but failing) to set up following architecture:
I'll leave out the unimportant details,

I have a router A that 's connected to the cable modem, (192.168.1.1), this one feeds network A with IPs.
One of the PCs in that network (192.168.1.111 - with 2 NICs) has  a Virtual Machine (this makes the whole thing tricky) running with Endian.
This Endian (router B) (10.1.1.1 on GREEN and 192.168.200 on RED) feeds a subsidiary network.

Now, by default ,pc 's like 192.168.1.200 can access pc's like 10.1.1.200 and vice versa.
This is what I want to change. Ideally, I would like 10.1.1.200 to connect/see/browse 192.168.1.200 but NOT the other way around.
Is this possible ?
If not, how can I (simply) block both ways ?

Thanks to the network gurus for any advice !!

grtz,


Title: Re: restrict one-way access between networks
Post by: mrkroket on Friday 18 November 2011, 02:55:13 am
By creating rules on outgoing firewall you can allow one-way traffic from GREEN to RED. It's more difficult creating rules from RED to GREEN, and I don't recommend them for that setup.

Endian rules are one way rules. This means you can allow some traffic to one direction, but not the opposite.
I.e. You have a web server (TCP port 80) on ORANGE zoe, and you want that your ppl at GREEN zone can use it.
Simply create a rule with source GREEN, dest ORANGE and allowing the TCP Port 80.
The web server can't reach clients (as it's on ORANGE zone), but clients can use the webserver.

Just search for the ports you need to use, and create the correct rules.


Title: Re: restrict one-way access between networks
Post by: dimicool on Friday 18 November 2011, 03:02:54 am
Thanks for your reply, I 'm trying to take in your suggestions ..

However,
- I don't have ORANGE (can't choose it)
- am not talking about http on 80 but real file/network access.

Really could use some guidance, it has been a long time, and I 'm honestly a bit confused with the fact that the endian isn't real machine...
The Windows box (host of Endian VM) has the 2 NICs, each of them has an IP.
What I 'm confused about is also that from the 192.168.1.1 point of view the Win BOX has IP 192.168.1.111, but the RED on ENDIAN has 192.168.1.200



Title: Re: restrict one-way access between networks
Post by: dimicool on Saturday 19 November 2011, 12:12:49 am
I'm still struggling with this ..
I made a simple draft on how the setup looks like ..

I made it difficult by putting the Endian in a VM inside a server with 2 NICs (but that's only way )
So my surprise, the host (Windows) also can use the 10.1.1.1 IP, because of this it can access the PCs in group B.
The goal is to restrict access between network A and network B.

thanks for any tips !!!


Title: Re: restrict access between hierarchical networks
Post by: mrkroket on Saturday 19 November 2011, 03:56:11 am
Computers in group A can't access computers in group B, as they are on RED zone.
Depending on your rules, A can reach B.

If the host can access B, it's because you added it to B. It probably has some NIC with an IP of subnet B. Remember that VM hosts doesn't need to be on the same subnets that guest machines. You perfectly can remove the IP of B subnet on host, and your guest keep working.


Title: Re: restrict access between hierarchical networks
Post by: dimicool on Monday 21 November 2011, 11:25:46 pm
just an update in cause one would think that silence == solution.... I still didn't resolve this..
I can get my  around it and the more I fiddle the more I mess up .

btw, PC in group A DO CAN access group B  (to my surprise)

I"m sure it's a subnet config issue somewhere ..