Isolate two interfaces firewall rules not working
-
I have three interfaces, WAN, LAN, WLAN
Iwant to isolate LAN and WLAN, so they can not send traffic or anything in between each of the subnet.
LAN is 10.20.30.0/24
WLAN is 10.20.31.0/24my firewalls rules are:
On the LAN
Action: Block
Protocol: IPv4
Source: 10.20.31.0/24
Port: *
Destination: *
Port: *
Gateway: *my firewalls rules are:
On the WLAN
Action: Block
Protocol: IPv4
Source: 10.20.30.0/24
Port: *
Destination: *
Port: *
Gateway: *Does this look correct?
Iam still able to ping from LAN to WLAN…. -
Your rules are the wrong way around.
Also don't design your rules around explicit blocks, but around explicit allows.
There is an invisible "block all" rule after all your own rules.On the LAN create a single rule:
Allow
Source: LAN-subnet
Destination: !WLAN-subnetRespective
Allow
Source: WLAN-subnet
Destination: !LLAN-subnet -
does just that still allows me to ping. to an device on the wlan?
-
from where?
-
Per default there is no access between network interfaces anyway.
Protocol: IPv4
IPv4 is not a protocol, but the IP version!
If you select any for protocol it should work and disallow ping likewise. -
LAN is 10.20.30.0/24
WLAN is 10.20.33.0/24from lan to wlan, i am able to ping a device from
10.20.30.100
to
10.20.33.2
-
Per default there is no access between network interfaces anyway.
Protocol: IPv4
IPv4 is not a protocol, but the IP version!
If you select any for protocol it should work and disallow ping likewise.under firewal rules it says
TCP/IP Version {dropdown menu} Select the Internet Protocol version this rule applies to
i just copied and pasted it.
-
Did you change your rules to be the way i described them?
Can you show a screenshot of your current rules? -
yes i did, i will send a screenshot in the morning.
but even with no rules shouldnt it block it. since there is an invisible deny all rule. -
Yes if you have no rules at all then everything should be blocked.
-
here are the screenshots with no rules, it should block the traffic from one interface (subnet) to another (subnet)
https://www.dropbox.com/s/g44e9q50b8hc8uy/firewall%20-%20%20floating.png
https://www.dropbox.com/s/urcibwd0k4nytj6/firewall%20-%20lan.png
https://www.dropbox.com/s/ovjs1fr0pdcyj51/firewall%20-%20wlan.png
https://www.dropbox.com/s/lneaufs6bnm7qs9/ping.jpgi will post the other screen shots with the rules, but regardless it should not allow u to ping unless some of my other settings are wrong.
edit: removed img tags
-
I don't see any screenshots
-
On the LAN and the WLAN tab you obviously have the "default allow LAN/WLAN to any rule".
This is not "no rule". -
wow how did i not see that, ok will change it to lan to wan - Default allow lan to Wan rule.
-
Don't forget to clear states if you're going to immediately test after making changes like this.
-
yes i did, perfect. thank you both for your help.
-
wow how did i not see that, ok will change it to lan to wan - Default allow lan to Wan rule.
A rule like "Pass protocol any source LANnet destination WANnet" will not be much use, because you actually want to allow traffic from LANnet to "the big bad public internet", not just traffic to your WANnet.
So you will likely want rules like:"Pass protocol any source LANnet destination not WLANnet"
"Pass protocol any source WLANnet destination not LANnet"or some other combination of pass and block rules to achieve a similar effect.