7 Replies Latest reply on Apr 5, 2011 11:28 PM by rcamm

    URL Block kills Guest and DMZ

      I would like our SG560 to prevent LAN access to certain sites such as facebook.com but after enabling Access Control for the Internet subsystem and adding facebook.com to URL Block,  the Guest and DMZ VLANs stop working. v4.0.8 firmware is installed.

       

      The SG560 network is set up as 4 VLANs:

       

      A1 LAN-192.168.1.1/24

      A2 DMZ-192.168.0.1/24

      A3-unused

      A4 Guest-10.0.0.1/24

       

      It seems I'm missing something basic since URL Block should be a pretty simple thing, right? The blocking does work for the LAN, which is good, but the DMZ and Guest networks going down isn't so good. Do I need to add some special packet filtering rule? There is already a rule allowing all outbound traffic from the Guest interface and all DMZ services from the DMZ interface, so I'm not sure what else to add.

       

      Thanks for any pointers.

      -Terry

        • 1. Re: URL Block kills Guest and DMZ

          I found this post from last year <https://community.mcafee.com/thread/24171?tstart=60> which sounds like a similar problem. The fix suggested was to enter a custom firewall rule:

           

          iptables -t nat -I ContFilt -d x.x.x.x/y  -j RETURN

           

          I have not used iptables before. What would I need to enter to allow my Guest VLAN to continue working when a URL Block is entered?

           

          iptables -t nat -l ContFilt -d 10.0.0.1/24 -j RETURN  ?

           

          Thanks,

          -Terry

          • 2. Re: URL Block kills Guest and DMZ

            Need more info on exactly what isn't working.

            ie which in and out interfaces, source & destination IP's and the destination port

            • 3. Re: URL Block kills Guest and DMZ

              Thank you for the response. Sorry for the delay in replying--been out of the office in meetings.

               

              The A4 Guest LAN is primarily for internet access via the SG560 port B for our customers that are in-house (we are a video production facility). In addition to a switch for hardwired Guest internet access in each of the edit suites, there is also a netgear wireless router on the A4 Guest port which provides DHCP and NAT for our guests with iPhones/iPads/laptops/etc. This works currently and has been working fine for a couple of years. The addresses assigned to wireless devices by the router are 192.168.1.x. The wireless router is assigned an IP from the SG560 of 10.0.0.2-50 (Normally it's 10.0.0.2).

               

              After asking but failing to get my employees from spending so much time distracted by social media sites I decided to try entering a URL Block of facebook.com with the Internet subsystem enabled. This causes the wireless side of the Guest LAN to stop working--sites will not load, no traffic appears to pass. Remove the URL Block, wireless Guest works again. The same behavior appears to occur on the DMZ LAN. I have not tested the wired Guest LAN with a URL Block enabled.

               

              I hope this answers your questions. If I haven't described the setup properly please let me know and I'll do my best to provide it.

               

              The end goal is to allow relatively unfettered internet access on the Guest and DMZ ports but block access to facebook.com on the employee A1 LAN. It seems like this should be a relatively easy thing to do and I'm missing something basic.

               

              Thanks,

              -Terry

              • 4. Re: URL Block kills Guest and DMZ

                Can I provide additional info to help determine what's going on?

                 

                Thanks,

                -Terry

                • 5. Re: URL Block kills Guest and DMZ

                  Yes, we need additional info, which cant be published here due to security reasons.

                  Are you able to open a support ticket ?

                  • 6. Re: URL Block kills Guest and DMZ

                    Not sure. I've never opened a ticket with Mcafee. The SG560 was purchased in May of '08 with a standard warranty and a 24 month warranty extension. I see that on 4/29/09 SecureComputing sent out an email saying that the transition to Mcafee was delayed and that a letter with a Grant number would be sent but I never received one. How should we proceed?

                     

                    Thanks,

                    -Terry

                    • 7. Re: URL Block kills Guest and DMZ

                      If you contact support, there is an option to be connected to customer service.

                      customer service can sort out the Grant ID issue, and then technical support will assist.