Troubleshooting isolation rules

Soogs

RESOLVED!

Hello,
I am trying to duplicate a working ruleset from one VLAN to another new VLAN.

Scenario: I have a minecraft server that I want to isolate from the rest of my homelab/lan.

I have a working ruleset which I use for my Work VLAN (pictured) and for my IoT VLAN:

This allows nodes to talk to the internet and within the vlan but not to anything else on the network.

When I try replicate this into the new VLAN it simply does not work:

I have had to add a "allow any to any" rule to get this working temporarily.

NAT rule for the subnet/vlan is configured (and working with any any rule)

Floating (quick) DNS rule is present

When only the green highlighted rules are enabled:

• I am able to ping local dns servers
• ping 1.1.1.1
• ping the default gateway
• unable to ping bbc.co.uk
• unable to reach the internet (tried apt update)

What can I do to further troubleshoot this? feel like I am overlooking something but cant think what it is?

Any help/advice is appreciated.

Thank you.

RESOLVED!: was using a static IP with no DNS specified
inserting the DNS record into the virtual machine has resolved the issue.

viragomann

@Soogs
So your device is probably unable to resolve host names.
Just try with dig or nslookup to be sure.

This will also show, which DNS server the client is trying to request.

Soogs

@viragomann please see below
first dig with local dns (also the same result with 1.1.1.1)
and second with no dns specified

nslookup have the same outcome, ok with dns specified and fail when left default

the allow dns/alias points to 192.168.1.4

dig @192.168.1.4 bbc.co.uk A
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.1.4 bbc.co.uk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22514
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bbc.co.uk.                     IN      A

;; ANSWER SECTION:
bbc.co.uk.              300     IN      A       151.101.0.81
bbc.co.uk.              300     IN      A       151.101.64.81
bbc.co.uk.              300     IN      A       151.101.128.81
bbc.co.uk.              300     IN      A       151.101.192.81

;; Query time: 41 msec
;; SERVER: 192.168.1.4#53(192.168.1.4) (UDP)
;; WHEN: Tue Oct 29 16:21:45 UTC 2024
;; MSG SIZE  rcvd: 102

dig bbc.co.uk A
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> bbc.co.uk A
;; global options: +cmd
;; no servers could be reached

viragomann

@Soogs
Looks like the requested DNS server 192.168.1.1 is not included into destination aliases of the rules Nr. 1 and 2, since they show no packets.

Soogs

@viragomann thank you for the above checks.
I didnt have DNS specified

I had this virtual machine as static map rather than dhcp reservation so it had no DNS... though i think it was static in its previous vlan which doesnt really make sense but hey it is now working so I am no longer climbing the walls lol

will look at getting dhcp reservations completed to avoid this going forward.

thanks again

Soogs

@viragomann they are being processed by the floating rule
maybe I should get rid of the floating rule, at least that might help with future trouble shooting.