Firewall with multiple subnets on same interface

josey

Hi guys

i have configuration

OPT2 interface with 10.20.0.254/24
(also i have OPT1, 3, 4, but it is unimportant for this problem)

router 1 connected to OPT2 with
lan 10.20.240.1/24
wan 10.20.0.240/24 - gw 10.20.0.254

router 2 connected to OPT2 with
lan 10.20.170.1/24
wan 10.20.0.170/24 gw 10.20.0.254

and, firewall rule is only one, and it is set to pass all traffic * * * * *

also i have computers connected directly to OPT2 interface,

all static routes are added in all routers

all machines can ping each other, can access internet etc etc…

problem is that nothing else except ping does not pass to this subnets on OPT2.
That means, machine connected to opt interface OPT2, with 10.20.0.xy/24 cant access machine behind router1 or router2

but it can ping :)

If i turn on rule "Bypass firewall rules for traffic on the same interface" under  System -> Advanced functions
then everything works.

Question is, is this suppose to be like that or is this bug? (i mean because in firewall it is set to pass all traffic)
because then if i want to block only subnets from router1 and router2 that machines cant communicate each other, what should i do to block them?

Thanks

danswartz

Which interface is that rule on?  OPT2?  Keep in mind that checkbox only applies to hairpin routing scenario.  e.g. traffic enters on OPT2 and leaves right away on OPT2.

josey

im talking about OPT2 dont i?

so firewall rule is set to allow all traffic!

so traffic is coming in to OPT2 and leaving to OPT2 again.
and without checked checkbox "Bypass firewall rules for traffic on the same interface" nothing works except ping.

again is that suppose and programmed to be like that or is it bug?

dpcma

Easy there

Go to System \ Advanced

Check Bypass Firewall rules for traffic on the same interface

Regards

Edited: Sorry i did not  read your post untiln the end…

josey

@dpcma:

Easy there

Go to System \ Advanced

Check Bypass Firewall rules for traffic on the same interface

Regards

Edited: Sorry i did not  read your post untiln the end…

oh god!
i did done that, if you read first post you will see…
what im asking is,
is that bug or not?
interface is suppose to pass all traffic if firewall rules are set to pass all traffic, but some reason firewall dont pass remote port, file print and sharing etc etc...

thanks

cmb

it's not a bug

josey

ok, thank you that is all i want to know,
it is suppose to work like that.
thank you