Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simplest way to block OPT1 accessing LAN yet allow 2 devices on OPT1 access

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 533 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yea
      last edited by

      Hi

      I have OPT1 connected to an AP on 172.20.1.x
      I have LAN on 192.168.0.x

      I want to block all on OPT1 accessing the LAN net, except for 2 devices which should only be able to connect to one IP on the LAN net and to a specific port.

      1. I have created a rule on OPT1 blocking OPT1 net from accessing LAN net.

      2. I also have another rule on OPT1 saying "alias of the 2 devices on OPT1" allow "LAN device ip alias" "LAN device port alias".

      Can I order the rules in such a way as to block all traffic to LAN (1), and have my other rule (2) work? Or does the block rule overrule the allow rule?

      If not, is there a simple way to achieve what I'm after?

      Hope that all makes sense.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Rules are top down, first match wins.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Post up your rules on your opt interface.. But dok is correct rules are evaluated as traffic enters an interface.  Top down, first rule to trigger wins no other rules are evaluated.

          If you need a picture I can post..  But this is really drop dead simple.

          If your top rule on opt is block, then your 2nd rule to allow would never be evaluated.  Put your rule above that allows your specific IPs to go to lan, then below put your block if you want.  Since there is a default deny there really is no need for the block rule at all.  All interfaces have a default deny (not shown in the gui) that would block all traffic that is not allowed.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • Y
            yea
            last edited by

            I apologise for the late reply, but your help has been very useful.

            Thank you :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.