Confusion About Firewall Rules?



  • Hi,

    I currently have a segregated local network using VLAN and I would like to create rules to restrict certain subnets to only WAN access. The problem is, when I setup a rule using

    (Source subnet) Block (restricted subnet) Protocol: any
    (Moved to the top of the list)

    I end up restricting the mentioned subnet to all locations.

    IE: Cannot access firewall, cannot access any other subnet

    However, if I set the source to ANY, and then simply set the destination to the subnet that I want to block, it works.

    Why is that?

    For context, I have a VLAN for the guys that rent the basement downstairs and a VLAN for everyone else upstairs. I want to block their subnet off from ours (upstairs).

    I would be grateful for your insight,

    Thanks in advance,
    Michael L.


  • Galactic Empire

    You need to create an alias with all your local subnets in, then create a rule to allow anything out to that host / alias and tick invert match on the destination.

    You don't want the guys downstairs accessing your router so block off ssh & web access to the firewall interfaces.




  • The firewall rules are always matched from top to bottom so you should create a rule that drops traffic from network downstairs to upstairs as the first entry in the VLAN (Downstairs) rule tab. And then create your allow rules below. That would drop all the packages from downstairs to upstairs cause they are matched by the first rule. everything else would be allowed to whatever it's destination is.

    I have added a picture of how it could look.

    ![Screen Shot 2016-11-23 at 14.46.13.png](/public/imported_attachments/1/Screen Shot 2016-11-23 at 14.46.13.png)
    ![Screen Shot 2016-11-23 at 14.46.13.png_thumb](/public/imported_attachments/1/Screen Shot 2016-11-23 at 14.46.13.png_thumb)



  • Hey,

    Sorry for the late reply.

    Yes, I understand what you're mentioning. That's exactly what I've been doing. Except somehow it just ends up blocking everything entirely.

    In your example, you setup your source as "guest net" and destination as "n_ip_local_subnets". My issue is whenever I setup the interface subnet as the source, It just ends up blocking all traffic and I don't know why.


  • Netgate

    Pass local assets they need to access
    Block local assets they shouldn't access
    Pass the internet.

    ![Screen Shot 2016-06-18 at 9.34.20 PM.png](/public/imported_attachments/1/Screen Shot 2016-06-18 at 9.34.20 PM.png)
    ![Screen Shot 2016-06-18 at 9.34.20 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-06-18 at 9.34.20 PM.png_thumb)