Wireless Security: Isolate Networks Completely
Actually (v7.508) it is not possible to isolate a guest Wi-Fi network from the internal networks completely. Configuration scenario: Separate network for the Wi-Fi guests. DHCP and DNS service for that network on the Astaro. With version 7.508 it is possible the resolve internal hostnames when a request route is set to the internal DNS servers (the forwarders on the Astaro set to DNS servers on the internet). It must be possible to filter out the internal domain names on the guest network.
Another bad thing is that the Wi-Fi guests can access internal Web Servers when they use the transparent Web Proxy on the Astaro. For that setup it is nice to have complete blocking for internal resources. The Web Proxy profiles need a destination setting configurable to destination “Internet” (Network definition).
This is something we will look to address shortly as a bugfix (vs. a feature). It will likely be closed and tracked internally as a bug, but for now we’ll leave it as under review…
You can add your internal Networks to the Transparent mode skiplist in the webproxy.
So if packets for these networks arrive at the UTM the source address is kept in the packet and you can configure packetrules to deny the connection. That's how I keep the guest wlan from reaching our internal serves. Make sure you have unchecked the field
"Allow HTTP/S traffic for listed hosts/nets"
Peter Müller commented
We have the same Problems in V9.107-33, wlan-interface can access internal webserversers. Proxy in transparency mode, firewall wlan->any-<internal Network.
Is it me or a dedicated Vlan should be used in this scenario so that all trafic could be isolated?
Evan Hart commented