Pass OPT1 Just to WAN?
I'm setting up a captive portal and I have an OPT1 interface that I want to only be able to access the WAN with. I can't figure out a way to make just a pass rule to the WAN. I see I can do a !NOT rule to my lan subnets, and/or create aliases for my networks and block them.
Is there a way to do this? It seems that adding not rules is round about and would require more management than just a simple pass rule.
Thanks for any help!
Well OPT interfaces normally don't have any rules. So by default everything is blocked. If you want it to only access your wan network, then a simple pass from source network on your opt1 interface to whatever network is on your wan should work.
So for example
source opt1 net
dest wan net
this seems to be what your asking with this question
"I have an OPT1 interface that I want to only be able to access the WAN with"
Keep in mind that rule will NOT allow access to stuff past your wan network. It will allow access to the wan network only. So if your wan network is 220.127.116.11/24 say your 18.104.22.168/24 with gateway of 22.214.171.124 then that is the network you would allow access to 126.96.36.199/24. Your not going to be able to access say google with such a rule. Unless there was a proxy you were accessing on 188.8.131.52/24
where you need to setup not rules is if you want to allow access to the INTERNET, ie you have no idea what the network which would be ANY, and not allow access to say your lan net from your dmz segment, etc.
This is where you would create a alias of all your local network you don't want to allow to be accessed, but want every other public internet access to be available.
Then its one simple rule
source opt1 net
dest NOT MYNetworks
Ah, I see what you mean, I was thinking of things slightly backwards. That makes more sense to me why it would be like that.
I will just add not rules, I had it working like that before it just seemed odd to me.
Thank you for the explanation.