Firewall Rule Bug

Follow

SH

• May 05, 2023 15:31

Something weird is happening and I am coming to conclusion that this is a bug or firewall rule update/reload issue. Came across this issue as I am testing access across multiple VLAN's/Segments/Groups etc.

So, I have a group called "Guests" This has limited access and does not have access to "Manangement VLAN".

As a test, I place a device in the Guest group and everything works as it should. Now when I move this same device back into an "Authorised" group that has access to management VLAN, I rightly can access the management interfaces- So far all good.

Here comes the issue, When I move back the device to the Guest group which has the relevant deny rules, these rules no longer take efffect and I can still continue to gain access to the "management VLAN"

Same issue when allowing an IP on another segment and then denying access to that IP/segment.

The only way, I can seem to fix it is by rebooting Firewalla which i assume re-reads the firewall rules.

Is this a known issue?

Maybe there should be an option under the "Rules" button to reload firewall rules whi

1

• 

  Firewalla

  • May 05, 2023 16:01

  "Group" is a virtual way to apply rules to a set of devices. Members can move around.

  While VLAN is a physical group, that you can apply rules to them. Members can not move around.

  So in your case, guests can or can not access VLAN's, depending on the network layer rules that you place them. For example, 

  VLAN1: d1,d2

  VLAN2: c1, c4

  Group1: c1,d2

  When you apply rules to Group1, say can't access VLAN2, it will not work for c1, since c1 is in VLAN2 already.

   

  0

  Comment actions Permalink
• 

  SH

  • May 05, 2023 16:25
  • Edited

  Yes totally understand the group is a virtual way; maybe my explanation was incorrect.
  
  Management VLAN is seperate
  Guest VLAN is seperate 
  Lan VLAN is seperate
  
  Device c1 connects to Guest VLAN - no access to management vlan - Correct
  Device c1 connects to Guest VLAN - moved to another group that has access to managment VLAN via firewall rule - Works
  Device c1 connects to Guest VLAN and moved back to its original group that has no access to management VLAN- access still works, i would have thought i'd this point it should stop access.

  Right?

  0

  Comment actions Permalink
• 

  SH

  • May 05, 2023 17:25

  I am defo not going mad, just replicated this with 2 seperate VLANs + management VLAN

  d1 connected to VLAN1 - before firewall rule can access management LAN
  d1 connected to VLAN1 - applied firewall rule to block access to management LAN - Success, traffic dropped
  
  d2 connected to VLAN1 - before firewall rule can access management LAN
  d2 connect to VLAN2 - no rules, can access management LAN
  d2 connected to VLAN2 - apply firewall rule to block access to management LAN - failure, still can access management LAN

  Both VLAN's now have same rule to deny access, vlan1 is working blocking the traffic yet VLAN2 same rule but still can access managment LAN

  I am not going bonkers here, this thing is driving me nuts

  0

  Comment actions Permalink
• 

  GZ

  • November 28, 2023 02:22

  I did some similar tess and FWG seems reliable. In my tests, I move a computer to a different VLAN by connecting to a different SSID. Every time FWG behaved according to the rules. 

  0

  Comment actions Permalink

Please sign in to leave a comment.