Messages

... it clicked, thank you very much! Finally it makes sense to me.

[to]

Yes, I allow OPT1 to any destination. But where does it say (in LAN): "allow LAN from any destination"? Or am i completely misunderstanding a basic concept?

Both Interfaces just have "allow to any" as the only rule - I'm missing the origin of the "allow from" rule, which I thought would have to be applied.

Thanks! I get that i can create an inverted rule to allow anything but RFC1918. This works as expected.

But why does LAN allow incoming from OPT1? Which rule does apply here (specifically by the LAN side?)
Wouldn't it be safer to deny all incoming on LAN than deny outgoing from OPT1?

The GUI says "Everything that is not explicitly passed is blocked by default." - Sorry for my confusion, I don't understand which rule explicitly passes incoming traffic on LAN1...

[why]

Hi,

maybe a general question.

Following basic setup, fresh installation:

• LAN interface, 192.168.1.1/24
• OPT1 interface, 10.0.0.1/24

Only Firewall Rules on Both:

• automatically generated rules
• IPv4+IPv6, source [interface], destination *, action pass
  (Default allow LAN to any rule)

Now a client from LAN can reach any IP from OPT1. But why? Don't I need to create a rule to allow that - e.g. ~"allow all incoming on opt1 from LAN"?


I'm planning to create multiple interfaces (VLANs) for clients, guests, dmz, printers, cameras, ... - what is the way to go for example if I want to block guests to access LAN - create a rule in Guest with LAN as target or create a rule in LAN with Guest as Source? And repeat that for other isolated networks? Or am I missing something?