Trying to allow only WAN from homelab net but allow access from my one alias

Started by mkono87, October 20, 2021, 12:57:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 20, 2021, 12:57:13 AM
Decided to create a homelab vlan for the first time so im trying to mess with rules but not understanding why when I block Homelab net to LAN net, I cant ping the internet? I have a allow rule at the bottom for now and thats how I discovered my issue. Trying my best at understanding rules.
October 20, 2021, 02:01:42 AM #1
WAN net does not mean "the internet" but just the subnet that the WAN interface is part of.

What you should do is delete rules 1 and 3, and change rule 2 to an allow rule but with the destination inverted, ie "!LAN net" (not LAN net).
October 20, 2021, 03:03:31 AM #2
Quote from: Greelan on October 20, 2021, 02:01:42 AM
WAN net does not mean "the internet" but just the subnet that the WAN interface is part of.

What you should do is delete rules 1 and 3, and change rule 2 to an allow rule but with the destination inverted, ie "!LAN net" (not LAN net).

Does that mean everything but lan?
October 20, 2021, 03:17:46 AM #3
Correct
October 20, 2021, 03:25:00 AM #4
Okay great, il give that a shot and see how it goes. The rules sometimes can be so confusing. First time using vlans.
October 20, 2021, 03:28:13 AM #5
The key is to look at the rules from the perspective of the firewall - so where is traffic coming in, from where, to where, and where is it going out. 99% of the time you will want rules that apply to traffic coming into an interface

Have a read of the official docs on the firewall rules and how they are applied, priority etc. Once you understand the fundamentals it is pretty straightforward
October 20, 2021, 04:51:57 AM #6
Quote from: Greelan on October 20, 2021, 03:28:13 AM
The key is to look at the rules from the perspective of the firewall - so where is traffic coming in, from where, to where, and where is it going out. 99% of the time you will want rules that apply to traffic coming into an interface

Have a read of the official docs on the firewall rules and how they are applied, priority etc. Once you understand the fundamentals it is pretty straightforward
Yes I have been trying to keep that in mind, guess I had the right interface this time, never thought about inverting though. What happens if there is another interface I want to block? The docs will become my bathroom reader over the next few days.
October 20, 2021, 05:27:42 AM #7
There are various ways to skin a cat. You could have individual block rules for each subnet you want to block and then an allow all rule. Or you could define an alias for the subnets you want to block and use that as the inverted destination in an allow rule. Another useful approach is to create interface groups, which then gives you a "net" alias for all subnets in that group which can be used in firewall rules
Print
Go Up Pages1
User actions