Block traffic between Speedfusion-tunnels

KPS · August 16, 2018, 6:33am

Hi!

I am using a setup with some branch-offices and a central hub.
The goal is:

Central-site can communicate with every peer
Every peer can communicate with the Central-site
branch-office CANNOT communicate with other branch-offices

I want to send all the traffic to the central-site, as there is a powerful NGFW.
→ Outgoing policy: 0.0.0.0/0 to VPN or “Send all traffic to VPN”

The function “PepVPN Route Isolation” does not help, if there is a default route pointing through the VPN.

Using the firewall is possible, but hard to configure, as I would have a rule for every combination of source and destination-networks of the peers.

Do you have any idea, how to configure this - perhaps with InControl2?
I did not find a possibility to use interfaces in firewall-rules…

Regards,
KPS

hcg · August 16, 2018, 8:02am

Hello,

HAve you looked at the feature introduced in FW 7.0.1 “Added ability to select PepVPN sub-tunnels when
defining outbound policy with Enforced or Priority algorithms.”

SEE Multi SF tunnel traffic routing

HCG

KPS · August 16, 2018, 9:57am

Hi!

Yes, I have tested that new feature, but it does not solve my problem. I need to block traffic between tunnels. I dont know, how I could use sub-tunnels there.

How do you think, this could be used?

ue-it · August 16, 2018, 10:42am

Hi,
I think that can be done with internal (deny) network rules on your central hub.
If your remote sites are configured like
R1: 192.168.40.0/24
R2: 192.168.41.0/24
R3: 192.168.55.0/24
Central Site: 172.16.x.x/16
you can setup a rule that denies traffic from source 192.168.0.0/16 to 192.168.0.0/16. R1-R3 are in the range of these and communication should be blocked.

KPS · August 16, 2018, 10:09pm

Hi!

Unfortunately, the peer-networks are not in one CIDR-range. So, I would have to create MANY rules.

It would be great to have a working: Deny Traffic between peers function that does not only hide the routes.

sitloongs · August 19, 2018, 9:21pm

@KPS
Base on the requirements above, don’t think you going to have very complex firewall rules. In general , you only need to defined firewall rules in Central device.

Internal Network Firewall Rules :

Allow ALL to HQ (HQ network IP Addresses)
Allow HQ (HQ Network IP Addresses) to ALL
Deny ALL to ALL

Do you have more info to share ?

KPS · August 20, 2018, 3:28am

Hi!

@sitloongs
Yes, that was (mostly) the solution. I do also have traffic to the internet, but the working solution was:

Allow ALL to HQ (HQ network IP Addresses)
Allow HQ (HQ Network IP Addresses) to ALL
Deny ALL to RFC-private-networks
Allow ALL to ALL

But: Thats not nice. A working solution for isolation would be fine.

sitloongs · August 20, 2018, 6:08pm

@KPS

For complex control rules, firewall rules will be the best option.