• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Isolate two interfaces firewall rules not working

Scheduled Pinned Locked Moved Firewalling
17 Posts 6 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mskenderian
    last edited by Apr 8, 2014, 9:00 PM

    I have three interfaces, WAN, LAN, WLAN

    Iwant to isolate LAN and WLAN, so they can not send traffic or anything in between each of the subnet.
    LAN is 10.20.30.0/24
    WLAN is 10.20.31.0/24

    my firewalls rules are:
    On the LAN
    Action: Block
    Protocol: IPv4
    Source: 10.20.31.0/24
    Port: *
    Destination: *
    Port: *
    Gateway:  *

    my firewalls rules are:
    On the WLAN
    Action: Block
    Protocol: IPv4
    Source: 10.20.30.0/24
    Port: *
    Destination: *
    Port: *
    Gateway:  *

    Does this look correct?
    Iam still able to ping from LAN to WLAN….

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Apr 8, 2014, 9:44 PM

      Your rules are the wrong way around.
      Also don't design your rules around explicit blocks, but around explicit allows.
      There is an invisible "block all" rule after all your own rules.

      On the LAN create a single rule:
      Allow
      Source: LAN-subnet
      Destination: !WLAN-subnet

      Respective
      Allow
      Source: WLAN-subnet
      Destination: !LLAN-subnet

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • M
        mskenderian
        last edited by Apr 8, 2014, 10:49 PM Apr 8, 2014, 10:12 PM

        does just that still allows me to ping. to an device on the wlan?

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Apr 9, 2014, 7:42 AM

          from where?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by Apr 9, 2014, 6:03 PM

            Per default there is no access between network interfaces anyway.

            Protocol: IPv4

            IPv4 is not a protocol, but the IP version!
            If you select any for protocol it should work and disallow ping likewise.

            1 Reply Last reply Reply Quote 0
            • M
              mskenderian
              last edited by Apr 10, 2014, 10:09 PM

              LAN is 10.20.30.0/24
              WLAN is 10.20.33.0/24

              from lan to wlan, i am able to ping a device from

              10.20.30.100

              to

              10.20.33.2

              1 Reply Last reply Reply Quote 0
              • M
                mskenderian
                last edited by Apr 10, 2014, 10:18 PM

                @viragomann:

                Per default there is no access between network interfaces anyway.

                Protocol: IPv4

                IPv4 is not a protocol, but the IP version!
                If you select any for protocol it should work and disallow ping likewise.

                under firewal rules it says

                TCP/IP Version {dropdown menu} Select the Internet Protocol version this rule applies to

                i just copied and pasted it.

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Apr 11, 2014, 7:13 AM

                  Did you change your rules to be the way i described them?
                  Can you show a screenshot of your current rules?

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • M
                    mskenderian
                    last edited by Apr 11, 2014, 7:23 AM

                    yes i did, i will send a screenshot in the morning.
                    but even with no rules shouldnt it block it. since there is an invisible deny all rule.

                    1 Reply Last reply Reply Quote 0
                    • G
                      GruensFroeschli
                      last edited by Apr 11, 2014, 7:56 AM

                      Yes if you have no rules at all then everything should be blocked.

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • M
                        mskenderian
                        last edited by Apr 11, 2014, 8:45 PM Apr 11, 2014, 7:12 PM

                        here are the screenshots with no rules, it should block the traffic from one interface (subnet) to another (subnet)

                        https://www.dropbox.com/s/g44e9q50b8hc8uy/firewall%20-%20%20floating.png
                        https://www.dropbox.com/s/urcibwd0k4nytj6/firewall%20-%20lan.png
                        https://www.dropbox.com/s/ovjs1fr0pdcyj51/firewall%20-%20wlan.png
                        https://www.dropbox.com/s/lneaufs6bnm7qs9/ping.jpg

                        i will post the other screen shots with the rules, but regardless it should not allow u to ping unless some of my other settings are wrong.

                        edit: removed img tags

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by Apr 11, 2014, 8:38 PM

                          I don't see any screenshots

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • G
                            GruensFroeschli
                            last edited by Apr 11, 2014, 8:47 PM

                            On the LAN and the WLAN tab you obviously have the "default allow LAN/WLAN to any rule".
                            This is not "no rule".

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • M
                              mskenderian
                              last edited by Apr 11, 2014, 11:10 PM

                              wow how did i not see that, ok will change it to lan to wan  - Default allow lan to Wan rule.

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Apr 12, 2014, 12:04 AM

                                Don't forget to clear states if you're going to immediately test after making changes like this.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mskenderian
                                  last edited by Apr 12, 2014, 12:04 AM

                                  yes i did, perfect. thank you both for your help.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    phil.davis
                                    last edited by Apr 12, 2014, 11:42 AM

                                    @mskenderian:

                                    wow how did i not see that, ok will change it to lan to wan  - Default allow lan to Wan rule.

                                    A rule like "Pass protocol any source LANnet destination WANnet" will not be much use, because you actually want to allow traffic from LANnet to "the big bad public internet", not just traffic to your WANnet.
                                    So you will likely want rules like:

                                    "Pass protocol any source LANnet destination not WLANnet"
                                    "Pass protocol any source WLANnet destination not LANnet"

                                    or some other combination of pass and block rules to achieve a similar effect.

                                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                    1 Reply Last reply Reply Quote 0
                                    1 out of 17
                                    • First post
                                      1/17
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received