The one ACL for multiple HD4

Elay · December 1, 2017, 7:43am

Greetings!
First of all , legend:
There are Balance 2500 (7.0.1) and about 60 HD4 (6.3.2). There is PepVPN with SpeedFusion to each HD4 to Balance. Balance is connected to the internet via WAN port, and the same port is used for inbound PepVPN tunnels. Each HD4 got it’s own 2 VLANs with custom IP-pools. Clients of 1st VLAN should have full access to the internet and to the certain hosts inside corporation net only. There are no any restrictions for a clients of 2nd VLAN.
I can make an Access Rules on each HD4, but it’s really dumb work.
I see only two ways:

Access Rules on Balance, cause it’s concentrator of tunnels. But this idea doesn’t work, because traffic don’t moving through - comes and goes from the same port (looks like). I’ve already tried setting rules with nothing as result.
ACL sample that would be shared via IC2 or any other way. Is there any “other” way?
How i can isolate clients of 1st VLAN from bigger part of corporate network, but let them to connect to certain hosts inside it without limitations for internet access and without creating rules on each HD4 manually?

Thank you for participating.
Elay.

Tim_S · December 1, 2017, 8:26am

@Elay, have you tried configuring Internal Firewall rules on the 2500? These are different from the regular Inbound/Outbound rules.

Elay · December 3, 2017, 5:15pm

Yes, Tim. No result at all.

sitloongs · December 3, 2017, 5:42pm

B2500 Internal Network Firewall Rules should able to control the access from remote HD4 devices to B2500. Would you share your defined Internal Network Firewall Rules here for us to further check ?

Elay · December 3, 2017, 11:50pm

No problem.

10.130.248.0/21 - this is IP pool of test HD4. Futher it will be changed to 3 bigger pools.

sitloongs · December 4, 2017, 12:59am

May i know which defined Internal Network Firewall Rules that having issue ? and also how you perform the test ?

Elay · December 4, 2017, 2:05am

All of rules, I think. Cause “allow” rules is OK by default. But any “deny” doesn’t work.
I directly connected to HD4 (uplink via cellular) to the access port with target VLAN. I got IP address from 10.130.248.0/21 and tried to access to any host from 10.0.0.0/8 net - 10.1.1.233:8081 (for example) and others. Then I was connected to each host successfuly.

sitloongs · December 4, 2017, 6:02pm

hmmm , the Internal Network Firewall Rules should be correctly defined.

Do you enable NAT mode for the PepVPN/Speedfusion connection at the B2500 ? NAT mode will translate the source IP for the remote clients and this will make the firewall rules work unexpected.

Would you please open a support case here for support team to review the setup ? We may need more info from your side in-order to investigate the issue and it may not suitable to share the config publicly here.

Elay · December 5, 2017, 12:08am

No NAT, but IP forwarding.
Thank you, I’ll open case.