Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Need help with a firewall rule to protect internal network on guest wlan

This thread has been viewed 0 times

  • 1.  Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:06 AM

    Such a simple rule, or so I thought...

     

    I have a "route to esi" redirect which pushes guest traffic towards a UTM in the dmz.

     

    Im trying to block access to all internal LANs, and the DMZ apart from the interface for the UTM.  As the route to esi rule has a destination of ANY, I cant quite figure out the rules I need before which protects the internal LAN and allows everythig else out.

     

    Unfortuanltey I cant do a "block network apart from one address", or even specify a range... 

     

    Im probably just thinking about it the wrong way.. so would appreciate any help.

     

     



  • 2.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:17 AM

    Typical guest networks block access to all RFC1918 address space (assuming your internal network uses it); other networks can be added as well as needed.   The easiest way to accomplish this is to setup a netdestination for all those ranges, then set a policy to deny access to them.  For example:

     

    netdestination internal-networks

      network 10.0.0.0 255.0.0.0

      network 192.168.0.0 255.255.0.0

      network 172.16.0.0 255.240.0.0

      <Add any others you want>

     

    Then within the policy of your choice; above your ESI redirect rule add the following. 

     

    user alias internal-networks any deny

     

    You may have to add an entry for the UTM; if you do, then add the following ahead of the deny rule (depending on what you are redirecting).

     

    user host x.x.x.x svc-http permit

    user host x.x.x.x svc-https permit

     

     

    You can also use a similar netdestination option:

    netdestination utm-appliance

      host x.x.x.x

     

    user alias utm-appliance svc-http permit

    user alias utm-appliance svc-https permit

     



  • 3.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:33 AM

    Thanks for your comprehensive answer.. but reading through your code, I belive I would still see the prblem...

     

    user host 192.168.0.1 svc-http permit

    user host 192.168.0.1 svc-https permit

    user alias internal-networks any deny

    ESI rule

     

    The UTM address is 192.168.0.1, so I need to allow this single destination while blocking the rest of the subnet. 

     

     



  • 4.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:37 AM
    Rules are read top-down, therefore if someone was accessing the UTM, they would be allowed because it is before the deny rule, any other IP outside of 192.168.0.1 would be denied


  • 5.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:39 AM

    But the ESI rule is after the block rule, so as as the host is within the network being blocked, it wouldnt work.

     

    If I put the ESI rule before the block, the block wouldnt do anything as the ESI is for any destiantion.



  • 6.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:46 AM

    Sorry misread your post, just noticed the ESI rule.
    Can you post what your ESI rule looks like?

    user host 192.168.0.1 svc-http permit

    user host 192.168.0.1 svc-https permit

    ESI rule modified to contain an implicit deny to internal networks, then allow all ?

     



  • 7.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 09:51 AM

    alias guest-network any any redirect esi-group "guest-group" direction forward

     

    The problem is the fact that Im trying to block all other access to the subnet that the interface of the UTM is in.



  • 8.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 10:09 AM
    Reading your original post once more, why would you want to access UTM interface from the guest network?



  • 9.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 10:12 AM

    The UTM is in our dmz.. the guest network is on an internal network, and we are using route to esi to redirect traffic.  We have 2 internet gateways, by default, all corp traffic routes to another UTM, so we needed a way to redirct guest traffic without the use of poroxy servers...



  • 10.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 10:47 AM
    @$k3l3t0r wrote:

    Thanks for your comprehensive answer.. but reading through your code, I belive I would still see the prblem...

     

    user host 192.168.0.1 svc-http permit

    user host 192.168.0.1 svc-https permit

    user alias internal-networks any deny

    ESI rule

                       

    The UTM address is 192.168.0.1, so I need to allow this single destination while blocking the rest of the subnet.  

    Is the above not working?   It is allowing http and https to 192.168.0.1 (your UTM).  It then blocks all other internal networks.  Followed by your ESI rule.  

     

    You could also consider doing in "invert" on a netdestination.....so essentially excludes the entry.  For example,

     

    netdestination "all-except-UTM"
     invert
     host 192.168.0.1
     
    Then use a rule like the following to redirect all traffic accept to 192.168.0.1 to the esi-group you have defined.
                       

    alias guest-network alias all-except-UTM any redirect esi-group "guest-group" direction forward



  • 11.  RE: Need help with a firewall rule to protect internal network on guest wlan

    Posted Jan 21, 2014 04:03 PM

    Ill give it another go tomorrow.. as this was the sort of thing I had tried.

     

    Its is my understanding (perhapsn incorreclty) that I am allowing traffic to the UTM before the rule that actually directs traffic to it, and inbetween I am saying block everything.  So traffic is denied before it hits the route to esi rule.

     

    I did see the invert option and wondered if I could use that somehow, so Ill have a go again...  

     


    Cheers for the suggestions... Ill let you know how I get on!