VLAN simultaneous ping bypass firewall rule ??

fellymar

Hi,
I'm having problems with firewall rules between vlans.

I have below setup on my test lab:
LAN 192.168.13.0/24
VLAN213 192.168.213.0/24
VLAN223 192.168.223.0/24

From VLAN213 I blocked access to LAN and to VLAN223:

protocol source port destination port gateway
block IPv4 TCP * * This Firewall (self) 443 *
block IPv4 * * 192.168.13.0/24 * *
block IPv4 * * 192.168.223.0/24 * *
allow IPv4 * * * * *

If I ping from VLAN213 to an address on LAN or VLAN223 it is timing out, for example:

ping from 192.168.213.101 to 192.168.223.150 is not working BUT
if in the same time I run ping from the pc with IP
192.168.223.150 to 192.168.213.101 I start receiving ping results also from the client in the VLAN213 that was giving time out error.

Is it normal?

Thank you.

johnpoz

@fellymar Normal? but yeah that can happen because you created an allow state when you started the reverse ping. "Kind of" how stun access works..

You create a connection in one direction to allow traffic from the other direction.