Blocking all traffic within LAN Alias



  • My setup, I have the DHCP handing out addresses on the LAN  from 172.16.1.0 to 172.16.1.254 .  I have created an alias for this range (172.16.1.0-172.16.1.254) called "Guest Users".  I want to statically set addresses starting 172.16.2.0 for known stations.  I set an alias for this range (172.16.2.0-172.16.2.254) called "Domain Users".  I want to create a rule to block any traffic from the "Guest Users" alias to "Domain Users".  I did this under the LAN tab and still could ping from a station with an IP 172.16.1.1(within Guest Users alias) to a station 172.16.2.2.  Please let me know what I am doing wrong.



  • Did you reset your states before running the second test?  Existing states will not be blocked by a rule update.



  • Just a side note: having two networks on the same interface is not recommend/best practice. It is better to have them on different interfaces, either physical or virtual.



  • moikerz

    I agree with you upon reading more there is no way of filtering/blocking inter-lan traffic (traffic within the same interface).  So I have changed gears and have 2 LAN interfaces (physical).  I now cannot get internet access on the GUEST or second LAN.  The DHCP, works and the two interfaces are on two different subnets. LAN 1 (internet working) has just the 3 rules (that come standard) on subnet 172.16.0.1/16.  I then added another interface GUEST (Lan2) I copied the 2 rules from the LAN 1, and it is on 192.168.1.1/24.  I cannot get internet access on this interface.  Please help I know it has to be a routing/NAT/or firewall rule.  I have tried everything in other forums but nothing works.



  • Ok, so you have LAN1 working fine, using 172.16.0.0/16 with DHCP, all good.

    And you have LAN2, using 192.168.1.0/24 with DHCP, but no internet access?

    Are you testing LAN2 using DHCP? If so, are you being correctly assigned an IP address, mask, gateway and dns server? If so, what are your firewall rules for LAN2? Screenshots would help.

    You shouldn't need to play with NAT at this point - it should be default/automatic.


Log in to reply