I'm relatively new to ClearOS, and have recently set up a couple as gateways on boxes that have multiple NICs for the purposes of dual WAN and multiple LAN subnets. I've noticed that my LANs can communicate with each other, which is not what I want, but I don't see any GUI settings to disable what appears to be a bridge of some sort. How do I isolate my LANs?
In IP Settings
Share this post:
Accepted Answer
The LANs aren't 'bridged' per se. Rather, they are routed and trusted. This is by design.
The two networks that have 'NAT' through the gateway are called 'LAN' and 'HotLAN'. LAN trusts other LAN, LANs can also access HotLANs. HotLANs cannot access LANs but can access other HotLANs. This article talks about the differences:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_network_types_-_external_lan_hotlan_dmz
It sounds like what you need it a custom firewall partition between networks (Network >> Firewall >> Custom Firewall). This can be resolved with simple 'DROP' rules in the custom firewall. I'm not at a place where I can test it but here are some things to try...
WARNING: ONLY TEST CUSTOM FIREWALL RULES IF YOU HAVE DIRECT ACCESS TO YOUR CONSOLE. BAD RULES CAN LOCK YOU OUT OF YOUR FIREWALL THROUGH REMOTE ACCESS.
$IPTABLES -I FORWARD -i eno1 -o eno4 -j DROP
$IPTABLES -I FORWARD -i eno4 -o eno1 -j DROP
Again, I don't know what this will do to your network...use with caution. Let me know what works or doesn't here and I'll improve the articles.
The two networks that have 'NAT' through the gateway are called 'LAN' and 'HotLAN'. LAN trusts other LAN, LANs can also access HotLANs. HotLANs cannot access LANs but can access other HotLANs. This article talks about the differences:
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_network_types_-_external_lan_hotlan_dmz
It sounds like what you need it a custom firewall partition between networks (Network >> Firewall >> Custom Firewall). This can be resolved with simple 'DROP' rules in the custom firewall. I'm not at a place where I can test it but here are some things to try...
WARNING: ONLY TEST CUSTOM FIREWALL RULES IF YOU HAVE DIRECT ACCESS TO YOUR CONSOLE. BAD RULES CAN LOCK YOU OUT OF YOUR FIREWALL THROUGH REMOTE ACCESS.
$IPTABLES -I FORWARD -i eno1 -o eno4 -j DROP
$IPTABLES -I FORWARD -i eno4 -o eno1 -j DROP
Again, I don't know what this will do to your network...use with caution. Let me know what works or doesn't here and I'll improve the articles.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »