Question

I have two private subnets, each with a TRB140 gateway, they are connected together via the OpenVPN connection via the Germany OpenVPN server.

On one subnet is a PC running 2 Virtual Machines. One is a Win Server 2022 running a DNS server. The other VM is a CentOS 7 Linux running a web based management console.

The other subnet is a PC running software managed by the web based management console in the other subnet.

Both subnets still have internet access but I need to lock these subnets down so that they communicate with each other but no internet access at all. Would the TRB40's be capable of configuring this option or would it have t be done via the Windows firewall?

Answer 1

Hello,

You can use a firewall on TRB140 to restrict internet access.

When you configure OpenVPN, there should be another firewall zone added. So, there should be LAN, WAN, and OpenVPN firewall zones in Network -> Firewall -> General. Also, a firewall traffic rule in Network -> Firewall -> Traffic rules is automatically created when you configure OpenVPN. This rule serves the purpose of opening a port from the WAN side to the OpenVPN instance, enabling the establishment of the VPN connection.

By default, all traffic from LAN is allowed to WAN. What you can do is block all traffic from LAN -> WAN. To do this, edit LAN => WAN zone and remove 'wan' from 'allow forward to destination zones'. This will drop all packets going from LAN to WAN. Then, you can manually add traffic rules to allow only necessary traffic from LAN to WAN. You can find more information about traffic rules here.

You can leave the WAN and OpenVPN zone as they are.

Kind Regards,

Andzej

Comments

Thank you Andzej I will give that a try.

Andrew