Firewall Issues, OPT and LAN

  • I know this has been asked a few times already but I seem to have a lingering issue here. The problem is that my OPT1 Interface traffic is still able to browse to my LAN traffic despite my rules in firewall. My configuration is:

    WAN _ DHCP (Class A obviously)
    LAN _ (No bridge, Static)
    OPT1 _ 192168.2.0/24 (No Bridge, Static)

    Captive Portal on OPT1 is in use.

    Also have 2 DHCP Server's going, one one each device for each different subnet.

    Firewall Rules
    Default Allow / Proto:* / Source:LAN net / Port:* / Destination:* / Gateway:*

    Custom Rule Allow / Proto:* / Source: OPT1 net / port:* / Destination: ! LAN / Port:* / Gateway:*

    However when I log in through Captive Portal on the OPT1 interface, I can type in and browse my LAN computers and devices. This is a problem because OPT1 is going to be a public network. There has to be something here that I am missing. I have also not configured NAT for each interface it's in "AUTO" mode, since it works directly with Captive Portal enabled. I have also rebooted the box a few times, to no avail.

  • The destination is "! LAN subnet" and not "! LAN address" right?
    Also make sure you don't have an allow rule after that. It's not a block rule so processing will continue further down the list.

  • Yea it is ! LAN network, and that is the only rule in the firewall list for OPT1.

  • When you type in, is that in a web browser?

  • That's correct, I connect through a computer logged into the OPT1 network using Captive Portal, so that machine is on subnet, the firewall only has the one rule ! Lan Subnet, and then the lan computer is on the local area network subnet, but I can still access its web hosting and shares and things with the captive portal machine located on the OPT1 subnet, basically, that rule does not seem to be effective, in fact, I can remove it entirely, apply the settings and restart, and I still have full access to network connections including LAN subnet. It seems to be allowing access through Captive Portal with out applying the filter rules specified.  ??? If I disable captive portal, then I think that I can get it to apply the rules listed, but I have not set up NAT or anything, so I basically get no connection otherwise, I have not tried it yet, the point being that I need Captive Portal running on that interface. I would be happy to send any logs or things that I can find for you to trouble shoot this further. Thanks for your help and time!

  • Verify that disabling the captive portal prevents access to your LAN computers to verify it's allowing the traffic.
    If it's still a problem, you could upload your config. Remove passwords.

  • Hey I did verify successfully that the access rules to LAN were created with the Captive Portal, so I will go digging around in there to see if there are any settings that I could find that would allow this to happen. I will post my configs when I have a chance if I cannot find a solution. Thanks.

Log in to reply