Why isn't this inverse rule blocking traffic to my secure networks?
-
I have serveral VLANs on different subnets in my network and I'm trying to control traffic between them. For example, my GUEST net should be able to get to my IOT networks but it should not be able to get to my SECURE networks, which is LAN and PRIVNET. I thought an inverse allow out except to the SECURE networks alias would work, but it is actually passing traffic.
Why? I've read a lot but clearly there is something about this concept that still doesn't align with the other firewalls I've configured in the past.
-
@burntoc Is the alias correct?
The block seems to match some traffic and is logged.
What hits the block rule? -
The alias contains the two /24 networks that correspond to LAN and PRIVNET. I usually manually reset states when testing but I may have forgotten to do it so that count probably reflected stored sessions, but clearing states hasn't mattered.
-
@burntoc said in Why isn't this inverse rule blocking traffic to my secure networks?:
The alias contains the two /24 networks that correspond to LAN and PRIVNET. I usually manually reset states when testing but I may have forgotten to do it so that count probably reflected stored sessions, but clearing states hasn't mattered.
!$#%!$#@@
So, I triple-checked it and I'd accidentally left the LAN subnet at /32. Dang it. I trust it will work now. If not, I'll add on here within the hour as I'm so excited about almost having this just where I want it (much cleaner than my previous pfSense config). Thanks for replying, @netblues