Allow traffic WAN



  • Hi,

    I'm really puzzled by this and probably missing some basic knowledge. Hope someone can fill me in on this.

    I'm trying to create rule that allows all traffic from an extra LAN interface to the WAN interface on certain ports, so that the LAN has internet.

    So far I have tried this, with protocol set to any to start with. I created these rules on the LAN tab; no other rules are present. I tried them one at the time.

    A rule that allows LAN_net to any --> This works. Internet is available.
    A rule that allows LAN_net to WAN_net --> this does not work. Internet is unavailable.

    Am I even supposed to allow access to the internet this way? I have been Googling, and all I can find is people allowing everything, but blocking private networks. My mindset is to block everything, except the rules I create.

    What am I missing?



  • WAN net only allows you to access the network on your WAN side. Lets say the ISP‘s gateway net. But internet is was more than one network ;)



  • @mrsunfire Yeah I figured as much. I tried adding all other networks too with no avail. What else should be allowed? Or should I take a different approach?



  • LAN net to any is correct if all your clients should be able to reach the internet.



  • @mrsunfire And then block everything else I don't want, like other interfaces?



  • If you don‘t allow anything else, it‘s blocked. You only allow LAN net.



  • Your goal is to allow only Internet Access from an extra (guest?) LAN interface and block access to other LAN interfaces?
    You could create an RFC1918 Alias containing all private Adress Space 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
    Then put an Block or Reject rule with target your created RFC1918 Alias on top of your Rules in the guest LAN Interface.

    -Rico



  • @rico Thanks, for your reply, that's indeed what I ended up doing.

    What's the best practice for blocking all ports but 80, 443 and 53 from here on?



  • I'd just create three separate Rules for that.
    Instead LAN_net to any Port * put in Port 80
    Finally you end up with four Rules
    Reject RFC1918
    LAN_net to any Port 80
    LAN_net to any Port 443
    LAN_net to any Port 53

    -Rico



  • Thanks for all the replies, they have been a great help!