Trying to allow only WAN from homelab net but allow access from my one alias

[mkono87]

Decided to create a homelab vlan for the first time so im trying to mess with rules but not understanding why when I block Homelab net to LAN net, I cant ping the internet? I have a allow rule at the bottom for now and thats how I discovered my issue. Trying my best at understanding rules.

[Greelan]

WAN net does not mean “the internet” but just the subnet that the WAN interface is part of.

What you should do is delete rules 1 and 3, and change rule 2 to an allow rule but with the destination inverted, ie “!LAN net” (not LAN net).

[mkono87]

WAN net does not mean “the internet” but just the subnet that the WAN interface is part of.

What you should do is delete rules 1 and 3, and change rule 2 to an allow rule but with the destination inverted, ie “!LAN net” (not LAN net).

Does that mean everything but lan?

[Greelan]

Correct

[mkono87]

Okay great, il give that a shot and see how it goes. The rules sometimes can be so confusing. First time using vlans.

[Greelan]

The key is to look at the rules from the perspective of the firewall - so where is traffic coming in, from where, to where, and where is it going out. 99% of the time you will want rules that apply to traffic coming into an interface

Have a read of the official docs on the firewall rules and how they are applied, priority etc. Once you understand the fundamentals it is pretty straightforward

[mkono87]

The key is to look at the rules from the perspective of the firewall - so where is traffic coming in, from where, to where, and where is it going out. 99% of the time you will want rules that apply to traffic coming into an interface

Have a read of the official docs on the firewall rules and how they are applied, priority etc. Once you understand the fundamentals it is pretty straightforward

Yes I have been trying to keep that in mind, guess I had the right interface this time, never thought about inverting though. What happens if there is another interface I want to block? The docs will become my bathroom reader over the next few days.

[Greelan]

There are various ways to skin a cat. You could have individual block rules for each subnet you want to block and then an allow all rule. Or you could define an alias for the subnets you want to block and use that as the inverted destination in an allow rule. Another useful approach is to create interface groups, which then gives you a “net” alias for all subnets in that group which can be used in firewall rules