Need help with a Rule

  • I am a trying to restrict access to anything beyond LAN interface for a group of clients.  However when I create a LAN rule that denies network access from lan to wan for all protocols, the hosts in the group also lose the ability to ping LAN interface. Since that interface is also a Default gateway this hosts,  that is somewhat of a problem.

    What am I doing wrong  and how can I fix that ?

  • Firewall rules are processed in the order you see them, and as soon as one rule matches no further rules are used. You can insert a rule just prior to your deny rule that allows ping to the LAN interface. The rule would look something like this:

    IPv4 ICMP LAN net * LAN Address * * none   Allow all LAN devices to ping LAN interface
    << your deny rule here >>

    ping from the LAN network to the LAN interface would succeed based on the first rule, then all other protocols from your subset of users would be blocked.

Log in to reply