Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access

  • Hi

    I have OPT1 connected to an AP on 172.20.1.x
    I have LAN on 192.168.0.x

    I want to block all on OPT1 accessing the LAN net, except for 2 devices which should only be able to connect to one IP on the LAN net and to a specific port.

    1. I have created a rule on OPT1 blocking OPT1 net from accessing LAN net.

    2. I also have another rule on OPT1 saying "alias of the 2 devices on OPT1" allow "LAN device ip alias" "LAN device port alias".

    Can I order the rules in such a way as to block all traffic to LAN (1), and have my other rule (2) work? Or does the block rule overrule the allow rule?

    If not, is there a simple way to achieve what I'm after?

    Hope that all makes sense.

  • Banned

    Rules are top down, first match wins.

  • LAYER 8 Global Moderator

    Post up your rules on your opt interface.. But dok is correct rules are evaluated as traffic enters an interface.  Top down, first rule to trigger wins no other rules are evaluated.

    If you need a picture I can post..  But this is really drop dead simple.

    If your top rule on opt is block, then your 2nd rule to allow would never be evaluated.  Put your rule above that allows your specific IPs to go to lan, then below put your block if you want.  Since there is a default deny there really is no need for the block rule at all.  All interfaces have a default deny (not shown in the gui) that would block all traffic that is not allowed.

  • I apologise for the late reply, but your help has been very useful.

    Thank you :)

Log in to reply