Floating rules are processed before interface group rules and interface rules??

demux

Hi

The documentation for floating rules states:
Floating rules are processed before interface group rules and interface rules...
But it also states:
Using the Tag and Tagged fields, a connection can be marked by an interface tab rule and then matched in the outbound direction on a floating rule...
I understand the second statement that interface rules are processed first, otherwise they have no tag.
Can someone please clarify that for me?

I would like to block private IP traffic to outside and I would still like to have access to the cable modem (on 192.168.100.1). I thought of marking the packets on the LAN interface destined to the cable modem. Then I thought of creating two floating rules on the WAN interface (outgoing direction): first one matches the mark and lets the packets through to the cable modem and the second one, after that, blocks all private IP addresses.
Will this work?

Thanks for your help,
-demux

Gertjan

@demux said in Floating rules are processed before interface group rules and interface rules??:

I would like to block private IP traffic to outside

If you can connect to your WAN-connected cable modem using it's RFC 1918 IP address then that traffic will end at the modem. It can not be routed elsewhere.