Isolate two interfaces firewall rules not working

mskenderian

I have three interfaces, WAN, LAN, WLAN

Iwant to isolate LAN and WLAN, so they can not send traffic or anything in between each of the subnet.
LAN is 10.20.30.0/24
WLAN is 10.20.31.0/24

my firewalls rules are:
On the LAN
Action: Block
Protocol: IPv4
Source: 10.20.31.0/24
Port: *
Destination: *
Port: *
Gateway:  *

my firewalls rules are:
On the WLAN
Action: Block
Protocol: IPv4
Source: 10.20.30.0/24
Port: *
Destination: *
Port: *
Gateway:  *

Does this look correct?
Iam still able to ping from LAN to WLAN….

GruensFroeschli

Your rules are the wrong way around.
Also don't design your rules around explicit blocks, but around explicit allows.
There is an invisible "block all" rule after all your own rules.

On the LAN create a single rule:
Allow
Source: LAN-subnet
Destination: !WLAN-subnet

Respective
Allow
Source: WLAN-subnet
Destination: !LLAN-subnet

mskenderian

does just that still allows me to ping. to an device on the wlan?

GruensFroeschli

from where?

viragomann

Per default there is no access between network interfaces anyway.

Protocol: IPv4

IPv4 is not a protocol, but the IP version!
If you select any for protocol it should work and disallow ping likewise.

mskenderian

LAN is 10.20.30.0/24
WLAN is 10.20.33.0/24

from lan to wlan, i am able to ping a device from

10.20.30.100

to

10.20.33.2

mskenderian

@viragomann:

Per default there is no access between network interfaces anyway.

Protocol: IPv4

IPv4 is not a protocol, but the IP version!
If you select any for protocol it should work and disallow ping likewise.

under firewal rules it says

TCP/IP Version {dropdown menu} Select the Internet Protocol version this rule applies to

i just copied and pasted it.

GruensFroeschli

Did you change your rules to be the way i described them?
Can you show a screenshot of your current rules?

mskenderian

yes i did, i will send a screenshot in the morning.
but even with no rules shouldnt it block it. since there is an invisible deny all rule.

GruensFroeschli

Yes if you have no rules at all then everything should be blocked.

mskenderian

here are the screenshots with no rules, it should block the traffic from one interface (subnet) to another (subnet)

https://www.dropbox.com/s/g44e9q50b8hc8uy/firewall%20-%20%20floating.png
https://www.dropbox.com/s/urcibwd0k4nytj6/firewall%20-%20lan.png
https://www.dropbox.com/s/ovjs1fr0pdcyj51/firewall%20-%20wlan.png
https://www.dropbox.com/s/lneaufs6bnm7qs9/ping.jpg

i will post the other screen shots with the rules, but regardless it should not allow u to ping unless some of my other settings are wrong.

edit: removed img tags

johnpoz

I don't see any screenshots

GruensFroeschli

On the LAN and the WLAN tab you obviously have the "default allow LAN/WLAN to any rule".
This is not "no rule".

mskenderian

wow how did i not see that, ok will change it to lan to wan  - Default allow lan to Wan rule.

Derelict

Don't forget to clear states if you're going to immediately test after making changes like this.

mskenderian

yes i did, perfect. thank you both for your help.

phil.davis

@mskenderian:

wow how did i not see that, ok will change it to lan to wan  - Default allow lan to Wan rule.

A rule like "Pass protocol any source LANnet destination WANnet" will not be much use, because you actually want to allow traffic from LANnet to "the big bad public internet", not just traffic to your WANnet.
So you will likely want rules like:

"Pass protocol any source LANnet destination not WLANnet"
"Pass protocol any source WLANnet destination not LANnet"

or some other combination of pass and block rules to achieve a similar effect.