Firewall with multiple subnets on same interface



  • Hi guys

    i have configuration

    OPT2 interface with 10.20.0.254/24
    (also i have OPT1, 3, 4, but it is unimportant for this problem)

    router 1 connected to OPT2 with
    lan 10.20.240.1/24
    wan 10.20.0.240/24 - gw 10.20.0.254

    router 2 connected to OPT2 with
    lan 10.20.170.1/24
    wan 10.20.0.170/24 gw 10.20.0.254

    and, firewall rule is only one, and it is set to pass all traffic * * * * *

    also i have computers connected directly to OPT2 interface,

    all static routes are added in all routers

    all machines can ping each other, can access internet etc etc…

    problem is that nothing else except ping does not pass to this subnets on OPT2.
    That means, machine connected to opt interface OPT2, with 10.20.0.xy/24 cant access machine behind router1 or router2

    but it can ping :)

    If i turn on rule "Bypass firewall rules for traffic on the same interface" under  System -> Advanced functions
    then everything works.

    Question is, is this suppose to be like that or is this bug? (i mean because in firewall it is set to pass all traffic)
    because then if i want to block only subnets from router1 and router2 that machines cant communicate each other, what should i do to block them?

    Thanks



  • Which interface is that rule on?  OPT2?  Keep in mind that checkbox only applies to hairpin routing scenario.  e.g. traffic enters on OPT2 and leaves right away on OPT2.



  • im talking about OPT2 dont i?

    so firewall rule is set to allow all traffic!

    so traffic is coming in to OPT2 and leaving to OPT2 again.
    and without checked checkbox "Bypass firewall rules for traffic on the same interface" nothing works except ping.

    again is that suppose and programmed to be like that or is it bug?



  • Easy there

    Go to System \ Advanced

    Check Bypass Firewall rules for traffic on the same interface

    Regards

    Edited: Sorry i did not  read your post untiln the end…



  • @dpcma:

    Easy there

    Go to System \ Advanced

    Check Bypass Firewall rules for traffic on the same interface

    Regards

    Edited: Sorry i did not  read your post untiln the end…

    oh god!
    i did done that, if you read first post you will see…
    what im asking is,
    is that bug or not?
    interface is suppose to pass all traffic if firewall rules are set to pass all traffic, but some reason firewall dont pass remote port, file print and sharing etc etc...

    thanks



  • it's not a bug



  • ok, thank you that is all i want to know,
    it is suppose to work like that.
    thank you


Log in to reply